Bug 29323
| Summary: | ipfw's "established" option incorrectly passes packets with ECN-Echo flag set | ||
|---|---|---|---|
| Product: | Base System | Reporter: | David Newall <david.newall> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.2-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
On Mon, Jul 30, 2001 at 03:53:43AM -0700, David Newall wrote: > >Synopsis: ipfw's "established" option incorrectly passes packets with ECN-Echo flag set Is this the same as problem documented at the URL below? ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A08.ipfw.asc David. > Is this the same as problem documented at the URL below?
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A08.ipfw.asc
Yes, it is. I searched GNATS, but apparently I did not try hard enough.
Bother. Thanks!
State Changed From-To: open->closed Problem has been fixed in 4.3 and -current. |
Ipfw rules that specify "established" TCP packets incorrectly match packets with the ECN-Echo flag set (see RFC 2481). This type of rule is sometimes used to permit unrestricted "outbound" and restricted "inbound" connections. Intruders can exploit this fault to penetrate a firewall that is so configured. Fix: There are a number of good ways to fix the problem. 1. Modify ip_fw.h, ip_fw.c and ipfw.c so that IP_FW_TCPF_ESTAB is not stored in fw_tcpf (best solution); 2. Modify ip_fw.c so that rules with IP_FW_TCPF_ESTAB set return 0 if neither the RST nor ACK flags are set (acceptable, but will need rework when the number of allocated flags exceeds 8); or 3. Modify ipfw.c to set fw_tcpnf to -1 (work around). An acceptable work-around is to modify ipfw.c, appending rule.fw_tcpnf = 1; after line 1896, which reads rule.fw_tcpf |= IP_FW_TCPF_ESTAB; How-To-Repeat: Create an ipfw incorporating the following general rules: ... accept tcp from TARGET to SECURE established deny tcp from TARGET to SECURE ... then attempt to connect from TARGET to SECURE having set tcp flag 0x40.