Re: ipfw, natd, and keep-state - strange behavior?

From: Chuck Swiger (cswiger@mac.com)
Date: 09/12/02


Date: Thu, 12 Sep 2002 17:30:26 -0400
From: Chuck Swiger <cswiger@mac.com>
To: freebsd-security@FreeBSD.ORG

On Thursday, September 12, 2002, at 01:16 PM, dfolkins wrote:
> From: "Chuck Swiger" <cswiger@mac.com>:
[ ... ]
>> Let me note that the whole intent of dynamic filtering is to permit
>> return
>> connections only in response to internal requests, and it presumes that
>> such connections are somehow "safer". I'm not so confident about that
>> assumption as some people seem to be.
>
> how's that? could you please elaborate?

Sure. What happens if a local user opens a connection to a popular site
which has been trojaned or redirected to malware via DNS hijacking? The
fact that you're using dynamic filtering doesn't help a bit when the
originating connection was local.

>> Frankly, I'd prefer to use static rules with aggressive ingress *and*
>> egress filtering,
>
> but wont that actually result in an overly permissive firewall? e.g., if
> you want to allow outgoing http connections, you have to allow packets
> from
> any external server port 80 to a whole bunch of tcp ports on internal ips.

Nope. While I prefer to use a proxy to centralize web access to the
outside via my interior firewall, you can also do something like:

    add pass tcp from $INET $HIPORTS to any 80,443
    add pass tcp from any 80,433 to $INET $HIPORTS established

Without performing the TCP 3-way startup (starting with a packet with SYN=
1 and ACK=0), the TCP sequence numbers won't match and the client being
scanned from some random external IP will simply drop the invalid
connection attempt.

>> which also avoids the DoS potential involved with
>> overflowing the number of dynamic connections permitted by a given
>> system,
>> thus causing the stateful firewall to lose track of older legitimate
>> connections. (*)
>
> true, there is that, but having a short enough syn_ udp_ and short_
> lifetime, and high enough number of allowed dyn rules would be pretty
> safe,
> no?

Not that I have seen, although I've never had a firewall which could do
syncookies hit by a DoS. Without that, denial-of-service attacks can
pretty easily overflow the connection database, thus causing all
pre-existing connections to drop, make creating new connections
problematic, and that was as true of a firewall on a multihomed x86 box
running FreeBSD 4.1 (now 4.5), as it was of Cisco hardware running IOS.

> also, i think you forgot to add the footnote that you implied would be
> forthcoming by the (*).

Sort of-- my PostScript ("PS:") was the footnote, but I wasn't consistent
in labelling it as such. :-)

[ ... ]
> but as you may remember in my original inquiry about firewall rules, i was
> trying to allow _outgoing_ ssh connections, not incoming ones.

Ok. Here are the equivalent static rules:

    allow tcp from $INET to any 22 setup
    allow tcp from any 22 to $INET established

-Chuck

        Chuck Swiger | chuck@codefab.com | All your packets are belong to
us.
        
-------------+-------------------+-----------------------------------
        "The human race's favorite method for being in control of the facts
         is to ignore them." -Celia Green

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: [fw-wiz] Firewall Log Analysis - Computer vs. Human
    ... can exactly count the rate of connections or other events, ... > TCP/8543 and let the firewall admin worry about it maybe the analyzer should ... > report that it is in fact a stray TCP packet caused by Internet latency (TCP ... humans are hardwired for pattern recognition (sometimes too ...
    (Firewall-Wizards)
  • Re: What is the Pattern here ?
    ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    (comp.security.firewalls)
  • Re: cant get Remote desktop to Work
    ... How do you allow TCP connections via port 3389 (I would like to keep the ... firewall going) - but will this make my PC vulnerable if 3389 is open? ... Remote Desktop is very much like PC Anywhere, without all the bloat of added ...
    (microsoft.public.windowsxp.network_web)
  • Re: cant get Remote desktop to Work
    ... How do you allow TCP connections via port 3389 (I would like to keep the ... firewall going) - but will this make my PC vulnerable if 3389 is open? ... Remote Desktop is very much like PC Anywhere, without all the bloat of added ...
    (microsoft.public.windowsxp.general)
  • Re: Black Ice confesses faulty program!!!
    ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ...
    (comp.security.firewalls)