Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established

---

• From: Giorgos Keramidas <keramida@xxxxxxxxxxxxxxx>
• Date: Sat, 11 Nov 2006 20:05:17 +0100

---

On 2006-11-11 17:08, "Julian H. Stacey" <jhs@xxxxxxxxxxxxxxxx> wrote:

Hi security@ list,
In my self written, large ipfw rule set, I had something that passed
http to allow me to browse most but not all remote sites. For years
I assumed the few sites I had difficulty with were cases pppoed MTU
!= 1500, from not having installed tcpmssd on my 4.*-RELEASE, but
then running 6.1-RELEASE I realised that wasn't the problem.

http://www.web.de Still failed, &
http://www.sueddeutsche.de Was slow.

I tried adding

${fwcmd} add pass tcp from any to any established

from src/etc/rc.firewall case - simple. Which solved it.
But I was scared, not undertstand what the established bit did, &
how easily an attacker might fake something, etc.
I found adding these tighter rules instead worked for me

${fwcmd} tcp from any http to me established in via tun0
${fwcmd} tcp from me to any http established out via tun0

Should I still be worrying about established ?

In general, I prefer stateful rulesets, which eliminate the need for
'established' rules. This would be something like:

${fwcmd} check-state
${fwcmd} tcp from me to any http out via tun0 keep-state
${fwcmd} tcp from me to any ssh out via tun0 keep-state
[...]

This may create problems with connections whose entries time out before
something is received back from the other end, but IMHO this is much
better than the possibility of someone 'abusing' the 'established' check
to poke holes through the firewall ruleset.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

---

• References:
  • src/etc/rc.firewall simple ${fw_pass} tcp from any to any established
    • From: Julian H. Stacey

• Prev by Date: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established
• Next by Date: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished
• Previous by thread: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Problem with firewall ... redirect_port tcp 192.168.0.3:2090 2090 ... ${fwcmd} add 100 pass all from any to any via lo0 ... # the "dynamic" rules table by an allow keep-state statement. ... $add pass tcp from any to any 1-65535 out via ${oif} setup ... (freebsd-net) Re: natd port redirect ... ${fwcmd} add 100 pass all from any to any via lo0 ... $add divert natd all from any to any via ${oif} ... $add divert natd tcp from any to me 23 in via $ ... $add pass tcp from any to any 80 out via $setup keep-state ... (comp.unix.bsd.freebsd.misc) Re: ipfw and ssh ... ${fwcmd} add pass all from $to $:$ ... This allows any existing TCP connections to work. ... This way you only need one rule (setup) for each inbound service you want. ... This will allow anyone access to my system through SSH provided they can authenticate. ... (freebsd-questions) Slow SSH authentication with ipfw ... # Allow TCP through if setup succeeded ... ${fwcmd} add pass tcp from any to any established ... $add pass tcp from any to ${internalip} 22 keep-state ... (freebsd-questions) Slow NAT firewall ... # Allow TCP through if setup succeeded ... ${fwcmd} add pass tcp from any to any established ... $add pass tcp from any to ${internalip} 22 keep-state ... (freebsd-questions)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2006-11