Date: Sun, 12 Nov 2006 18:33:51 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Michal Mertl <mime@traveller.cz> Cc: freebsd-security@freebsd.org, "Julian H. Stacey" <jhs@flat.berklix.net>, "R. B. Riddick" <arne_woerner@yahoo.com> Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished Message-ID: <20061112183351.099c3c10@Magellan.Leidinger.net> In-Reply-To: <1163351944.7859.8.camel@genius.i.cz> References: <216597.35069.qm@web30315.mail.mud.yahoo.com> <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net> <1163351944.7859.8.camel@genius.i.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Michal Mertl <mime@traveller.cz> (Sun, 12 Nov 2006 18:19:03 +0100): > Alexander Leidinger p=C3=AD=C5=A1e v so 11. 11. 2006 v 21:32 +0100: > > Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov =20 > > 2006 11:00:49 -0800 (PST)): > >=20 > > > --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote: > > >> I tried adding > > >> ${fwcmd} add pass tcp from any to any established > > >> from src/etc/rc.firewall case - simple. Which solved it. > > >> But I was scared, not undertstand what the established bit did, & > > >> how easily an attacker might fake something, etc. > > >> I found adding these tighter rules instead worked for me > > >> ${fwcmd} tcp from any http to me established in via tun0 > > >> ${fwcmd} tcp from me to any http established out via tun0 > > >> Should I still be worrying about established ? > > >> > > > Hmm... I personally use "check-states" and "keep-state", so that it i= s not > > > enough to fake the "established" flags, but the attacker had to know = =20 > > > the ports, > > > the IPs, control over routing in pub inet(?) and some little secrets = =20 > > > in the TCP > > > headers (I dont know exactly how it works): > > > add check-state > > > add pass icmp from any to any keep-state out xmit tun0 > > > add pass tcp from any to any setup keep-state out xmit tun0 > > > add pass udp from any to any domain keep-state out xmit tun0 > >=20 > > These are the stats of the first 7 rules on my DSL line afer one day: > > 00100 6423992 376898110 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 20000 0 0 check-state > > 30000 10013 1047483 deny tcp from any to any established > > 30100 226 45640 deny ip from any to any not verrevpath in > > 30200 7 280 deny tcp from any to any tcpoptions !mss setup > >=20 > > Another nice rule (stats after one day): > > 30800 3149862 117471324 deny ip from any to =20 > > 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 >=20 > I am using something similar (with table instead of list filled from > http://www.cymru.com/Documents/bogon-bn-agg.txt ). >=20 > Your number seem to be extremely high to me - I have it on a router with > thousands of public IPs behind it and see nowhere as many hits. This is a 4.11-stable system. # uptime 6:22PM up 1 day, 22:44, 1 user, load averages: 0.01, 0.05, 0.06 # ipfw -a show 00100 11653484 696947498 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 20000 0 0 check-state 30000 17150 1428089 deny tcp from any to any established 30100 235 48648 deny ip from any to any not verrevpath in 30200 16 640 deny tcp from any to any tcpoptions !mss setup 30300 0 0 deny ip from XXX 30400 0 0 allow ip from XXX 30500 275 48395 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.= 0.2.0/24,224.0.0.0/4,240.0.0.0/4 via wi0 30600 0 0 deny ip from 192.168.1.0/24,192.168.2.0/24 to any= in via tun0 30700 0 0 deny ip from any to 10.0.0.0/8,172.16.0.0/12 via = tun0 30800 5713020 213062040 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.= 0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 30900 0 0 deny ip from 10.0.0.0/8,172.16.0.0/12 to any via = wi0 31000 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/2= 4,224.0.0.0/4,240.0.0.0/4 to any via wi0 31100 0 0 deny ip = from 10.0.0.0/8,172.16.0.0/12 to any via tun0 31200 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/2= 4,224.0.0.0/4,240.0.0.0/4 to any via tun0=20 Maybe dial-up/DSL lines are more interesting to hack for the botnet owners than whatever you have behind this router. Bye, Alexander. --=20 Adelai: A package is just a box until it's delivered.=20 http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061112183351.099c3c10>