ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  Exploring the Mac OS X Firewall
Subject:   Slight error
Date:   2005-03-16 09:18:48
From:   finkga
The article states:


02050 allow tcp from any to any out
02060 allow tcp from any to any established


> Here we allow any outbound packets through and
> follow this up by allowing any previously
> established connections back in. The firewall
> is "state-full"—that is to say it doesn't just
> process a packet and forget about it as it
> moves onto the next one. It remembers that it
> allowed a connection from my computer to my
> ISP's mail server and therefore can identify
> incoming packets as being part of the same
> connection and allow then back in without a
> whole host of new rules.


This is not an example of stateful processing. The first rule allows any outgoing tcp connection it doesn't care whether it is a new connection or an established one. To restrict the outbound rule to new connections only, you must append the word "setup" to this rule. This matches only tcp packets with the SYN bit set.


The second rule allows only tcp packets without the SYN bit set to pass. With the two rules entered as listed, someone with nmap can still use ACK packets (pretending to be part of an existing connection) to scan your machine.


If you really want stateful monitoring of connections you need to use the check-state rule and the keep-state actions. For instance, adding the rules:



add 2050 check-state
add 2060 allow tcp from me to any out setup keep-state


will make the firewall stateful. The first rule says, "match the packets against any of the dynamic rules I've made so far." If none of these matches, the next rule comes into play. Rule 2060 says, "if this is a new outgoing connection initiated by me, make a dynamic rule that will allow any traffic from this connection through."


With these modified rules, incoming ACK packets and other beasts trying to pretend they are part of an existing connection will not match and will be turned away at the door. Check out the ipfw man page for more details.


Hope this isn't as confusing as it sounds.


-- Glenn


1 to 1 of 1
  1. Slight error
    2005-03-17 01:01:12  peterhickman [View]

    • Slight error
      2006-02-04 15:51:27  sumbach [View]

1 to 1 of 1