Re: Fw: Re: A question about FreeBSD security

From: Dag-Erling Smorgrav (des@ofug.org)
Date: 07/19/01

• Next message: Cy Schubert - ITSD Open Systems Group: "Re: [PATCH] Re: FreeBSD remote root exploit ?"
• Previous message: Richard Lucas: "Re: [PATCH] Re: FreeBSD remote root exploit ?"
• In reply to: Ralph Huntington: "Re: Fw: Re: A question about FreeBSD security"
• Next in thread: Sean Chittenden: "Possible limitations of ipfw dynamic rules/state (was: Re: Fw: Re: A question about FreeBSD security)"
• Reply: Sean Chittenden: "Possible limitations of ipfw dynamic rules/state (was: Re: Fw: Re: A question about FreeBSD security)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: Ralph Huntington <rjh@mohawk.net>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 19 Jul 2001 23:00:06 +0200

Ralph Huntington <rjh@mohawk.net> writes:
> My understanding (someone please correct me if I am wrong) is that IPFW
> relies on the incoming packets' own headers to infer the established
> state, whereas IPF keeps a table of outgoing packets (when told to keep
> state) and matches incoming packets to the entries in the table to
> determine if they are actually in response to an outgoing packet.

Both. It all depends on how you set up your rule set - you can do

# ipfw add pass tcp from any to me 22 in setup
# ipfw add pass tcp from me 22 to any out tcpflags syn,ack keep-state

instead of

# ipfw add pass tcp from any to me 22 in setup keep-state

The first variant will only store state for incoming connections to
which you actually respond, while the second will store state for all
incoming connections.

DES

-- 
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Cy Schubert - ITSD Open Systems Group: "Re: [PATCH] Re: FreeBSD remote root exploit ?"
• Previous message: Richard Lucas: "Re: [PATCH] Re: FreeBSD remote root exploit ?"
• In reply to: Ralph Huntington: "Re: Fw: Re: A question about FreeBSD security"
• Next in thread: Sean Chittenden: "Possible limitations of ipfw dynamic rules/state (was: Re: Fw: Re: A question about FreeBSD security)"
• Reply: Sean Chittenden: "Possible limitations of ipfw dynamic rules/state (was: Re: Fw: Re: A question about FreeBSD security)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: can I use keep-state for icmp rules? ... >> ipfw does not really track the state, ... >> fooled by incoming packets spoofing the state of the connection, ... They both do stateful inspections, yes, but ipfw ... (FreeBSD-Security) bpf, ipfw and before-and-after ... This afternoon I ran into the ever lasting of "bpf runs before ipfw" ... and bpf_mtapdid have a way to determine wether it should print ... the incoming packets. ... Edwin Groothuis ... (freebsd-net) Re: packet order, ipf or ipfw ... We found IPFW a little complex to use, ... >> I'm running ipf because I like it ...but now I need to use ipfw's pipe ... >> So, what is the order, if I'm running ipf AND ipfw at the same time? ... > AFAIK, ipf takes precedence on ipfw for incoming packets on -STABLE, ... (freebsd-net) Re: packet order, ipf or ipfw ... > rules in ipf, then in ipfw: limit bandwidth for a few vlans, then allow all. ... AFAIK, ipf takes precedence on ipfw for incoming packets on -STABLE, ... (freebsd-net)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2001-07