Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to
Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov =20
2006 11:00:49 -0800 (PST)):
> --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote:
>> I tried adding
>> =09${fwcmd} add pass tcp from any to any established
>> from src/etc/rc.firewall case - simple. Which solved it.
>> But I was scared, not undertstand what the established bit did, &
>> how easily an attacker might fake something, etc.
>> I found adding these tighter rules instead worked for me
>> =09${fwcmd} tcp from any http to me established in via tun0
>> =09${fwcmd} tcp from me to any http established out via tun0
>> Should I still be worrying about =09established ?
>>
> Hmm... I personally use "check-states" and "keep-state", so that it is not
> enough to fake the "established" flags, but the attacker had to know =20
> the ports,
> the IPs, control over routing in pub inet(?) and some little secrets =20
> in the TCP
> headers (I dont know exactly how it works):
> add check-state
> add pass icmp from any to any keep-state out xmit tun0
> add pass tcp from any to any setup keep-state out xmit tun0
> add pass udp from any to any domain keep-state out xmit tun0
These are the stats of the first 7 rules on my DSL line afer one day:
00100 6423992 376898110 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
20000 0 0 check-state
30000 10013 1047483 deny tcp from any to any established
30100 226 45640 deny ip from any to any not verrevpath in
30200 7 280 deny tcp from any to any tcpoptions !mss setup
Another nice rule (stats after one day):
30800 3149862 117471324 deny ip from any to =20
0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0
Bye,
Alexander.
--=20
Committees have become so important nowadays that subcommittees have to
be appointed to do the work.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 3 之 5 篇):