From owner-freebsd-net Sun Feb 11 21:15:59 2001 Delivered-To: freebsd-net@freebsd.org Received: from taka.swcp.com (taka.swcp.com [198.59.115.12]) by hub.freebsd.org (Postfix) with ESMTP id 2A10937B491 for ; Sun, 11 Feb 2001 21:15:56 -0800 (PST) Received: from argotsoft.com (argotsoft.com [198.59.115.127]) by taka.swcp.com (8.10.0.Beta12/8.10.0.Beta12) with ESMTP id f1C5F2046672 for ; Sun, 11 Feb 2001 22:15:03 -0700 (MST) Received: from rincon (rincon.argotsoft.com [192.168.3.102]) by argotsoft.com (8.9.3/8.8.7) with SMTP id WAA07759 for ; Sun, 11 Feb 2001 22:13:59 -0700 (MST) (envelope-from msommer@argotsoft.com) Message-Id: <3.0.3.32.20010211221423.00a5db40@mail> X-Sender: msommer@mail X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 11 Feb 2001 22:14:23 -0700 To: freebsd-net@FreeBSD.ORG From: "Mark J. Sommer" Subject: Re: pptp (mpd-netgraph) through a firewall In-Reply-To: <200102120233.SAA68980@curve.dellroad.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Regarding the rule with "established": doesn't the recent security advisory regarding the established keyword apply here to this IPFW rule? From the advisory: II. Problem Description Due to overloading of the TCP reserved flags field, ipfw and ip6fw incorrectly treat all TCP packets with the ECE flag set as being part of an established TCP connection, which will therefore match a corresponding ipfw rule containing the 'established' qualifier, even if the packet is not part of an established connection. The ECE flag is not believed to be in common use on the Internet at present, but is part of an experimental extension to TCP for congestion notification. At least one other major operating system will emit TCP packets with the ECE flag set under certain operating conditions. Only systems which have enabled ipfw or ip6fw and use a ruleset containing TCP rules which make use of the 'established' qualifier, such as "allow tcp from any to any established", are vulnerable. The exact impact of the vulnerability on such systems is undetermined and depends on the exact ruleset in use. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was corrected prior to the (future) release of FreeBSD 4.3. At 06:33 PM 2/11/01 -0800, you wrote: >Dan Larsson writes: >> Are the following ipfw lines sufficent to allow pptp?: >> >> ${fwcmd} add pass tcp from any to any established >> ${fwcmd} add pass tcp from any to ${EXT_IF} pptp setup >> ${fwcmd} add pass gre from any to any > >Yes, should be. In any case you can always tell if it's not by >using "ipfw log" rules. > >-Archie > >__________________________________________________________________________ >Archie Cobbs * Packet Design * http://www.packetdesign.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-net" in the body of the message > > ~Mark -------------------------------------------------------------------------------- Mark J. Sommer ARGOT Software Corporation, P.O. Box 92020, Albuquerque, New Mexico 87199-2020 FAX: 505-771-0274 PHONE: 505-867-6750 E-MAIL: msommer@argotsoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message