Dear all,

As our client need to make sure the PF in OpenBSD is a stateful
firewall, I need to conduct a little test against the PF from the
internet. Is there any tool I can issue an unstateful connection to the
OpenBSD PF firewall and the result should indicate it is stateful?

Thanks
Sam

Sam wrote:
> Dear all,
>
> As our client need to make sure the PF in OpenBSD is a stateful
> firewall, I need to conduct a little test against the PF from the
> internet. Is there any tool I can issue an unstateful connection to the
> OpenBSD PF firewall and the result should indicate it is stateful?
>
> Thanks
> Sam
>

I just found something with nmap. Is half open, option -sS with nmap
actually try to generate an unstateful connection? What other example I
can use?

Thanks
sam

On Tue, 19 Aug 2003 16:02:01 +0800, Sam wrote:

> As our client need to make sure the PF in OpenBSD is a stateful
> firewall, I need to conduct a little test against the PF from the
> internet. Is there any tool I can issue an unstateful connection to the
> OpenBSD PF firewall and the result should indicate it is stateful?

With a stateless firewall, you have to allow certain incoming packets
to allow replies for outgoing connections. For instance, if you want
to allow replies to outgoing http connections, you usually need
something like

pass out from any port > 1024 to any port 80
pass in from any port 80 to any port > 1024

The problem is that you're allowing in any packets from source
port 80, even if they're not part of an outgoing connection.
Set up a listener on port 1234 on the local host, then connect
to it from an external host (using source port 80, use nc as
root on OpenBSD). If you can connect, the firewall is stateless.

If the firewall is stateful, you'd use instead

pass out from any to any port 80 keep state
block in from any to any

which would still allow in replies to outgoing connections. Now
repeat the test by trying to connect from the external host port
80 to the local host port 1234. You won't succeed.

You can use dnet from ports/net/libdnet to send arbitrary TCP
packets from the external host. Establish a TCP connection from/to
the firewall'ed host, then use dnet on the external host to try to
deliver arbitrary TCP packets (with the same source/destination
address/port), but random TCP sequence numbers. A stateful
firewall will compare the sequence numbers, and only pass those
packets with sequence numbers within a narrow window, defined
by the established connection.

For added fun, you can fragment the manually generated TCP
packets, make the fragments overlap, overlap the TCP header,
send different data for overlaps (including different TCP
port numbers), etc.

Another way to show that pf is stateful is explaining what
'modulate state' does, and demonstrate that it works (using
a host with weak ISN generation, for optimum effect). There
is no way to implement this feature in a stateless firewall
(supporting multiple concurrent connections, using different
random modulators for each connection).

Daniel

Daniel Hartmeier wrote:
> On Tue, 19 Aug 2003 16:02:01 +0800, Sam wrote:
>
>
>>As our client need to make sure the PF in OpenBSD is a stateful
>>firewall, I need to conduct a little test against the PF from the
>>internet. Is there any tool I can issue an unstateful connection to the
>>OpenBSD PF firewall and the result should indicate it is stateful?
>
>
> With a stateless firewall, you have to allow certain incoming packets
> to allow replies for outgoing connections. For instance, if you want
> to allow replies to outgoing http connections, you usually need
> something like
>
> pass out from any port > 1024 to any port 80
> pass in from any port 80 to any port > 1024
>
> The problem is that you're allowing in any packets from source
> port 80, even if they're not part of an outgoing connection.
> Set up a listener on port 1234 on the local host, then connect
> to it from an external host (using source port 80, use nc as
> root on OpenBSD). If you can connect, the firewall is stateless.
>
> If the firewall is stateful, you'd use instead
>
> pass out from any to any port 80 keep state
> block in from any to any
>
> which would still allow in replies to outgoing connections. Now
> repeat the test by trying to connect from the external host port
> 80 to the local host port 1234. You won't succeed.
>
> You can use dnet from ports/net/libdnet to send arbitrary TCP
> packets from the external host. Establish a TCP connection from/to
> the firewall'ed host, then use dnet on the external host to try to
> deliver arbitrary TCP packets (with the same source/destination
> address/port), but random TCP sequence numbers. A stateful
> firewall will compare the sequence numbers, and only pass those
> packets with sequence numbers within a narrow window, defined
> by the established connection.
>
> For added fun, you can fragment the manually generated TCP
> packets, make the fragments overlap, overlap the TCP header,
> send different data for overlaps (including different TCP
> port numbers), etc.
>
> Another way to show that pf is stateful is explaining what
> 'modulate state' does, and demonstrate that it works (using
> a host with weak ISN generation, for optimum effect). There
> is no way to implement this feature in a stateless firewall
> (supporting multiple concurrent connections, using different
> random modulators for each connection).
>
> Daniel

Thanks Daniel. How about using the following simpler way to verify it:

Block and Lock everything, allow outgoing connection from your browser
and see if the fw locks the returning data. If the page gets displayed,
the fw is a statefull firewall. Otherwise, I will have to add a rule like

"allow from any 80 to myself any"


Is this make sense?

Thanks
sam