Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished



Quoting Michal Mertl <mime@xxxxxxxxxxxx> (Sun, 12 Nov 2006 18:19:03 +0100):

Alexander Leidinger píše v so 11. 11. 2006 v 21:32 +0100:
Quoting "R. B. Riddick" <arne_woerner@xxxxxxxxx> (from Sat, 11 Nov
2006 11:00:49 -0800 (PST)):

--- "Julian H. Stacey" <jhs@xxxxxxxxxxxxxxxx> wrote:
I tried adding
${fwcmd} add pass tcp from any to any established
from src/etc/rc.firewall case - simple. Which solved it.
But I was scared, not undertstand what the established bit did, &
how easily an attacker might fake something, etc.
I found adding these tighter rules instead worked for me
${fwcmd} tcp from any http to me established in via tun0
${fwcmd} tcp from me to any http established out via tun0
Should I still be worrying about established ?

Hmm... I personally use "check-states" and "keep-state", so that it is not
enough to fake the "established" flags, but the attacker had to know
the ports,
the IPs, control over routing in pub inet(?) and some little secrets
in the TCP
headers (I dont know exactly how it works):
add check-state
add pass icmp from any to any keep-state out xmit tun0
add pass tcp from any to any setup keep-state out xmit tun0
add pass udp from any to any domain keep-state out xmit tun0

These are the stats of the first 7 rules on my DSL line afer one day:
00100 6423992 376898110 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
20000 0 0 check-state
30000 10013 1047483 deny tcp from any to any established
30100 226 45640 deny ip from any to any not verrevpath in
30200 7 280 deny tcp from any to any tcpoptions !mss setup

Another nice rule (stats after one day):
30800 3149862 117471324 deny ip from any to
0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0

I am using something similar (with table instead of list filled from
http://www.cymru.com/Documents/bogon-bn-agg.txt ).

Your number seem to be extremely high to me - I have it on a router with
thousands of public IPs behind it and see nowhere as many hits.

This is a 4.11-stable system.

# uptime
6:22PM up 1 day, 22:44, 1 user, load averages: 0.01, 0.05, 0.06

# ipfw -a show
00100 11653484 696947498 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
20000 0 0 check-state
30000 17150 1428089 deny tcp from any to any established
30100 235 48648 deny ip from any to any not verrevpath in
30200 16 640 deny tcp from any to any tcpoptions !mss setup
30300 0 0 deny ip from XXX
30400 0 0 allow ip from XXX
30500 275 48395 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via wi0
30600 0 0 deny ip from 192.168.1.0/24,192.168.2.0/24 to any in via tun0
30700 0 0 deny ip from any to 10.0.0.0/8,172.16.0.0/12 via tun0
30800 5713020 213062040 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0
30900 0 0 deny ip from 10.0.0.0/8,172.16.0.0/12 to any via wi0
31000 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any via wi0 31100 0 0 deny ip from 10.0.0.0/8,172.16.0.0/12 to any via tun0
31200 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any via tun0

Maybe dial-up/DSL lines are more interesting to hack for the botnet
owners than whatever you have behind this router.

Bye,
Alexander.

--
Adelai: A package is just a box until it's delivered.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Problem with firewall
    ... redirect_port tcp 192.168.0.3:2090 2090 ... ${fwcmd} add 100 pass all from any to any via lo0 ... # the "dynamic" rules table by an allow keep-state statement. ... $add pass tcp from any to any 1-65535 out via ${oif} setup ...
    (freebsd-net)
  • Re: natd port redirect
    ... ${fwcmd} add 100 pass all from any to any via lo0 ... $add divert natd all from any to any via ${oif} ... $add divert natd tcp from any to me 23 in via $ ... $add pass tcp from any to any 80 out via $setup keep-state ...
    (comp.unix.bsd.freebsd.misc)
  • Re: ipfw and ssh
    ... ${fwcmd} add pass all from $to $:$ ... This allows any existing TCP connections to work. ... This way you only need one rule (setup) for each inbound service you want. ... This will allow anyone access to my system through SSH provided they can authenticate. ...
    (freebsd-questions)
  • Slow NAT firewall
    ... # Allow TCP through if setup succeeded ... ${fwcmd} add pass tcp from any to any established ... $add pass tcp from any to ${internalip} 22 keep-state ...
    (freebsd-questions)
  • Slow SSH authentication with ipfw
    ... # Allow TCP through if setup succeeded ... ${fwcmd} add pass tcp from any to any established ... $add pass tcp from any to ${internalip} 22 keep-state ...
    (freebsd-questions)