current-users: RE: CVS performance question & ipf rules

Subject: RE: CVS performance question & ipf rules
To: Bill Studenmund <wrstuden@netbsd.org>
From: Conrad T. Pino <NetBSD-Current@Pino.com>
List: current-users
Date: 02/07/2004 17:50:44

> > This presumption is not correct.  A rule permitting inbound traffic IS
> > needed but at STATIC rule i.e. "pass in" is an unneeded security risk.
> > The STATIC "pass in" rule may allow *anyone* sending from port 2401 to
> > use any destination port depending on how tightly the rule is written.
> 
> Huh??? cvs update from walt's net to the cvs server should _not_ require 
> connections incoming to walt's from the cvs server.

We agree, "incoming connections" are NOT required.

I referred to "inbound traffic" i.e. responses to "outgoing connections".

This example will fail because incoming responses are blocked:

	block in all
	block out all

	pass out quick proto tcp from any to any

This example will work but is a nasty security risk:

	block in all
	block out all

	pass out quick proto tcp from any to any

	pass in quick proto tcp from any port = 2401 to any

This example will work and avoids the static incoming rule:

	block in all
	block out all

	pass out quick proto tcp from any to any keep state

The "keep state" clause allows state following temporary rules to be
created and deleted dynamically as needed.

It took me a while to understand the security value of "keep state"
when I first started with "ipf".  I was under the impression that
Walt may be new to "ipf" also and wanted to underscore Brian's
suggestion regarding "keep state" and avoiding static incoming
rules when possible.

I don't believe Bill and I are disagreeing.  The topic is complex and
subtle requiring precise mutually understood definitions.

In this case "incoming connections" and "incoming/inbound traffic" are
different phases in time of an active TCP connection.  Bi-directional
rules ARE required to TCP to work.  The question of *how* and *when*
the rules are created and/or deleted makes a big impact on security
provided by the firewall.

> I've used both pserver and ssh-auth anonymous cvs servers from my home 
> net, which is behind a NAT. No incoming connections have been needed.

I suspect that "keep state" appears in your rule set.

Bill, I'm willing to make a small wager that "ipfstat -sl" will display
incoming rules you didn't know you had.  $1 US perhaps?

> Take care,
> 
> Bill

Many thanks,

Conrad