Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Jun 2001 16:02:46 -0700 (PDT)
From:      patl@Phoenix.Volant.ORG
To:        Bill Moran <wmoran@iowna.com>
Cc:        Josh Thomas <jdt2101@ksu.edu>, freebsd-questions@freebsd.org
Subject:   Re: IPFW rules and outward connections
Message-ID:  <ML-3.4.991954966.2085.patl@asimov.phoenix.volant.org>
In-Reply-To: <3B1FE973.AE494B0D@iowna.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On  7-Jun-01 at 13:54, Bill Moran (wmoran@iowna.com) wrote:
> ...                                       Basically, if some other
> rule in your ruleset allows an internal machine to establish a
> connection, this rule will allow the machines that are part of the
> connection to continue to communicate.

More accurately, it will allow any incoming packet with the header
flags set in such a manner that it -claims- to be part of an established
connection.  Even if the connection is now closed, or never existed
at all.  This is used for some types of Denial Of Service attacks and
stealth port scans.

> The opposite of established is setup, for example:
> 
> allow tcp from 192.168.5.73 to any 22 setup
> allow tcp from any to 192.168.5.73 22 setup
> allow tcp from any to any established
> deny tcp from any to any
> 
> Will allow the IP listed to initiate a ssh connection to anyone or
> receive a ssh connection from anyone, while the second rule ensures that
> the connection can continue to communicate and the final rule blocks
> anything that doesn't fit into the first category.
> tcp communications must establish themselves, therefore anything that is
> not specifically allowed to "setup" will never get to the "established"
> state. (it's probably best, for speed, to always put the "established"
> rule near the beginning of your ruleset)

But some l33t h4x0r can craft bogus packets which -claim- to be part
of a non-existant established connection.



-Pat


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ML-3.4.991954966.2085.patl>