rayksugar-land.spc.slb.com

• Next message: Paul Hart: "Re: Firewall rules for an internet FTP server?"
• Previous message: Michael McHugh: "Re: Firewall rules for an internet FTP server?"
• Next in thread: Darren Reed: "Re: ipfw dynamic rules & tcp rst"
• Reply: Darren Reed: "Re: ipfw dynamic rules & tcp rst"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have been using the new dynamic ipfw rules in 4.0. I wanted to make the
firewall react as though it didn't exist by returning TCP RSTs instead of
just dropping the connection. However, the following rules do not work:

00400 check-state
00500 reset tcp from any to {myip} established
00600 reset tcp from {myip} to any established
00700 allow tcp from any to {myip} 22 keep-state setup
00800 reset tcp from any to {myip} setup
65535 deny ip from any to any

When a connection comes in for a non-allowed port, rule 800 rejects the
connection. However, rule 600 prevents the TCP RST from being sent and the
connection is dropped. The following rules work however:

00300 allow tcp from {myip} to any
00400 check-state
00500 reset tcp from any to {myip} established
00600 allow tcp from any to {myip} 22 keep-state setup
00700 reset tcp from any to {myip} setup
65535 deny ip from any to any

This time the connection is rejected and rule 300 allows the RST to be
sent. Is there a better way of accomplishing this?

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Paul Hart: "Re: Firewall rules for an internet FTP server?"
• Previous message: Michael McHugh: "Re: Firewall rules for an internet FTP server?"
• Next in thread: Darren Reed: "Re: ipfw dynamic rules & tcp rst"
• Reply: Darren Reed: "Re: ipfw dynamic rules & tcp rst"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]