Women in Technology

Hear us Roar

  Exploring the Mac OS X Firewall
Subject:   Slight error
Date:   2005-03-16 09:18:48
From:   finkga
The article states:

02050 allow tcp from any to any out
02060 allow tcp from any to any established

> Here we allow any outbound packets through and
> follow this up by allowing any previously
> established connections back in. The firewall
> is "state-full"—that is to say it doesn't just
> process a packet and forget about it as it
> moves onto the next one. It remembers that it
> allowed a connection from my computer to my
> ISP's mail server and therefore can identify
> incoming packets as being part of the same
> connection and allow then back in without a
> whole host of new rules.

This is not an example of stateful processing. The first rule allows any outgoing tcp connection it doesn't care whether it is a new connection or an established one. To restrict the outbound rule to new connections only, you must append the word "setup" to this rule. This matches only tcp packets with the SYN bit set.

The second rule allows only tcp packets without the SYN bit set to pass. With the two rules entered as listed, someone with nmap can still use ACK packets (pretending to be part of an existing connection) to scan your machine.

If you really want stateful monitoring of connections you need to use the check-state rule and the keep-state actions. For instance, adding the rules:

add 2050 check-state
add 2060 allow tcp from me to any out setup keep-state

will make the firewall stateful. The first rule says, "match the packets against any of the dynamic rules I've made so far." If none of these matches, the next rule comes into play. Rule 2060 says, "if this is a new outgoing connection initiated by me, make a dynamic rule that will allow any traffic from this connection through."

With these modified rules, incoming ACK packets and other beasts trying to pretend they are part of an existing connection will not match and will be turned away at the door. Check out the ipfw man page for more details.

Hope this isn't as confusing as it sounds.

-- Glenn

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • Slight error
    2005-03-17 01:01:12  peterhickman [View]

    You are correct, I am using the term 'state-full' incorrectly here. What I wanted to get across was that ipfw did have a memory of previous connections and could recognise a packet as belonging to an already established / permitted connection.

    Having said that 'state-full' does have a technical meaning in regards to firewalls an missusing it isn't going to help anybody.

    Thanks again for the correction.
    • Slight error
      2006-02-04 15:51:27  sumbach [View]

      This still isn't quite right. Using your rules, ipfw doesn't have any memory at all--it's using the TCP flags to determine whether the connection is established or not.

      A stateful ipfw ruleset will always contain at least one rule with the 'check-state' action and at least one rule with the 'keep-state' option. ipfw's "memory" is in the form of dynamic rules.