[j-nsp] Rule to prevent illegitimal TCP attacks

Thu Jul 28 02:58:18 EDT 2005

First thanks for your response.

I know the existence of  such match statements like tcp-established  or 
tcp-initials but I think they have a problem. I continue with my example:

What will happen if a host from subnetwork B sends directly a TCP packet with 
the flags SYN & ACK set to a host on subnetwork A?

This TCP packet doesn't below to a three way handshake protocol and it can be 
sent with an utility like "hping". I know this is possible and I know it will 
provoke a response on subnetwork B.

I'm not sure if this is a real problem of security or not. Is it?
For this reason I woud prefer to use rules that are stateful. With an stateful 
firewall rule the TCP packet sent from subnetwork B I mentioned before 
woudn't be reeived.

But the problem is that I don't know how to make this kind of stateful 
firewall rule. ( I have an AS PIC and I have readed the public documentation 
but I still don't know how it works )

Another question: is there something similar like "tcp-established" for 
non-tcp trafic?

For example to permit dns-queries to my DNS server in network A from network 
B, I'm doing like this:

Filter on inbound interface on network B:

term allow_dns_queries-from-B-to-A {
    from {
	source-address    <network B>;
        destination-address  <network A>;
        protocol udp;
        destination-port domain;
    }
    then  accept;
}

Filter on inbound interface on network A:

term allow_dns_queries-from-B-to-A {
    from {
	source-address    <network A>;
        destination-address  <network B>;
        protocol udp;
        source-port domain;
    }
    then  accept;
}

So I'm making two rules for each UDP service I want to allow. Any other way?

Regards,
Jose

On Thursday 28 July 2005 00:54, Erdem Sener wrote:
> Hi,
>
>  I guess what're you looking for is 'tcp-established' and it is indeed
> possible. Still, you might want to think about non-tcp traffic (such
> as dns queries).
>
>  In you example, a firewall filter that is applied to outbound
> interface for network A could look like;
>
>  term established-from-B-to-A {
>     from {
>         source-address {
>             <network B>;
>         }
>         destination-address {
>             <network A>;
>         }
>         tcp-established;
>     }
>     then accept;
> }
> term block-non-established-tcp-from-B-to-A {
>     from {
>         source-address {
>             <network B>;
>         }
>         destination-address {
>             <network A>;
>         }
>         protocol tcp;
>     }
>     then {
>         reject;
>     }
> }
>
>
> term the_rest {
>     then {
>         accept; ##assuming you only want to alter tcp traffic.
>     }
> }
>
>  I would suggest thinking more than twice on what's needed and what's
> going to happen before applying any firewall filters that will affect
> live traffic.
>
> Hope this helps,
> Erdem