Date: Sun, 12 Nov 2006 18:19:03 +0100 From: Michal Mertl <mime@traveller.cz> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-security@freebsd.org, "Julian H. Stacey" <jhs@flat.berklix.net>, "R. B. Riddick" <arne_woerner@yahoo.com> Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished Message-ID: <1163351944.7859.8.camel@genius.i.cz> In-Reply-To: <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net> References: <216597.35069.qm@web30315.mail.mud.yahoo.com> <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander Leidinger píše v so 11. 11. 2006 v 21:32 +0100: > Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov > 2006 11:00:49 -0800 (PST)): > > > --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote: > >> I tried adding > >> ${fwcmd} add pass tcp from any to any established > >> from src/etc/rc.firewall case - simple. Which solved it. > >> But I was scared, not undertstand what the established bit did, & > >> how easily an attacker might fake something, etc. > >> I found adding these tighter rules instead worked for me > >> ${fwcmd} tcp from any http to me established in via tun0 > >> ${fwcmd} tcp from me to any http established out via tun0 > >> Should I still be worrying about established ? > >> > > Hmm... I personally use "check-states" and "keep-state", so that it is not > > enough to fake the "established" flags, but the attacker had to know > > the ports, > > the IPs, control over routing in pub inet(?) and some little secrets > > in the TCP > > headers (I dont know exactly how it works): > > add check-state > > add pass icmp from any to any keep-state out xmit tun0 > > add pass tcp from any to any setup keep-state out xmit tun0 > > add pass udp from any to any domain keep-state out xmit tun0 > > These are the stats of the first 7 rules on my DSL line afer one day: > 00100 6423992 376898110 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 20000 0 0 check-state > 30000 10013 1047483 deny tcp from any to any established > 30100 226 45640 deny ip from any to any not verrevpath in > 30200 7 280 deny tcp from any to any tcpoptions !mss setup > > Another nice rule (stats after one day): > 30800 3149862 117471324 deny ip from any to > 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 I am using something similar (with table instead of list filled from http://www.cymru.com/Documents/bogon-bn-agg.txt ). Your number seem to be extremely high to me - I have it on a router with thousands of public IPs behind it and see nowhere as many hits. Michal This is pretty unbelievable to me as I have similar (and more encompassing) rule on a router serving thousands of > > Bye, > Alexander. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1163351944.7859.8.camel>