Date: Sun, 11 Feb 2001 22:14:23 -0700 From: "Mark J. Sommer" <msommer@argotsoft.com> To: freebsd-net@FreeBSD.ORG Subject: Re: pptp (mpd-netgraph) through a firewall Message-ID: <3.0.3.32.20010211221423.00a5db40@mail> In-Reply-To: <200102120233.SAA68980@curve.dellroad.org> References: <Pine.BSF.4.32.0102091205460.70820-100000@hq1.tyfon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Regarding the rule with "established": doesn't the recent security advisory regarding the established keyword apply here to this IPFW rule?
From the advisory:
II. Problem Description
Due to overloading of the TCP reserved flags field, ipfw and ip6fw
incorrectly treat all TCP packets with the ECE flag set as being part
of an established TCP connection, which will therefore match a
corresponding ipfw rule containing the 'established' qualifier, even
if the packet is not part of an established connection.
The ECE flag is not believed to be in common use on the Internet at
present, but is part of an experimental extension to TCP for
congestion notification. At least one other major operating system
will emit TCP packets with the ECE flag set under certain operating
conditions.
Only systems which have enabled ipfw or ip6fw and use a ruleset
containing TCP rules which make use of the 'established' qualifier,
such as "allow tcp from any to any established", are vulnerable. The
exact impact of the vulnerability on such systems is undetermined and
depends on the exact ruleset in use.
All released versions of FreeBSD prior to the correction date
including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was
corrected prior to the (future) release of FreeBSD 4.3.
At 06:33 PM 2/11/01 -0800, you wrote:
>Dan Larsson writes:
>> Are the following ipfw lines sufficent to allow pptp?:
>>
>> ${fwcmd} add pass tcp from any to any established
>> ${fwcmd} add pass tcp from any to ${EXT_IF} pptp setup
>> ${fwcmd} add pass gre from any to any
>
>Yes, should be. In any case you can always tell if it's not by
>using "ipfw log" rules.
>
>-Archie
>
>__________________________________________________________________________
>Archie Cobbs * Packet Design * http://www.packetdesign.com
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-net" in the body of the message
>
>
~Mark
--------------------------------------------------------------------------------
Mark J. Sommer ARGOT Software Corporation,
P.O. Box 92020, Albuquerque, New Mexico 87199-2020
FAX: 505-771-0274 PHONE: 505-867-6750 E-MAIL: msommer@argotsoft.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.20010211221423.00a5db40>