--- "Julian H. Stacey" <[EMAIL PROTECTED]> wrote:
> I tried adding
> ${fwcmd} add pass tcp from any to any established
> from src/etc/rc.firewall case - simple. Which solved it.
> But I was scared, not undertstand what the established bit did, &
> how easily an attacker might fake something, etc.
> I found adding these tighter rules instead worked for me
> ${fwcmd} tcp from any http to me established in via tun0
> ${fwcmd} tcp from me to any http established out via tun0
> Should I still be worrying about established ?
>
Hmm... I personally use "check-states" and "keep-state", so that it is not
enough to fake the "established" flags, but the attacker had to know the ports,
the IPs, control over routing in pub inet(?) and some little secrets in the TCP
headers (I dont know exactly how it works):
add check-state
add pass icmp from any to any keep-state out xmit tun0
add pass tcp from any to any setup keep-state out xmit tun0
add pass udp from any to any domain keep-state out xmit tun0
Furthermore I use pf on the same box, too, so that a bug in ipfw is not
enough... :-)
-Arne
____________________________________________________________________________________
Yahoo! Music Unlimited
Access over 1 million songs.
http://music.yahoo.com/unlimited
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
