From owner-freebsd-security@FreeBSD.ORG Sun Sep 19 07:45:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7652D16A4CE for ; Sun, 19 Sep 2004 07:45:47 +0000 (GMT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id E9EA243D39 for ; Sun, 19 Sep 2004 07:45:46 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 78160 invoked from network); 19 Sep 2004 07:45:45 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 19 Sep 2004 07:45:45 -0000 X-pair-Authenticated: 209.68.2.70 Date: Sun, 19 Sep 2004 02:45:44 -0500 (CDT) From: Mike Silbersack To: stheg olloydson In-Reply-To: <20040918222428.97931.qmail@web53902.mail.yahoo.com> Message-ID: <20040919023634.I11704@odysseus.silby.com> References: <20040918222428.97931.qmail@web53902.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Random source ports in FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 07:45:47 -0000 On Sat, 18 Sep 2004, stheg olloydson wrote: > Hello, > > I don't think Mr Gerun has a problem with the way port randomizing is > implemented. I believe that because he couldn't find any information > about FBSD doing port randomization, he thought it wasn't implemented > at all, so he wrote some patches to enable it. > I missed this bit in the Release Notes myself. Thanks for the effort! I > do have a question, though. I don't understand the commit procedure, so > I have always been a little perplexed by some of the nomenclature in > the CVS log. For example, entries 1.143-1.46 are to Branch: Main, while > 1.59.2.27.2.1 is to Branch: RELENG_4_10 ans 1.5.2.28 is to Branch: > RELENG_4. What exactly Branch: Main? Is it RELENG_5? If so, does that > mean your changes are not in RELENG_5_2? > > Regards, > > Stheg Branch Main is -CURRENT; right now that means it's 6.0, but back when I did the commit, it was 5.2-CURRENT, and RELENG_5 did not yet exist. You are correct that port randomization was not merged into the releng_5_2 branch. Your other deductions are correct, AFAIK. To take this a bit more back on-topic, port randomization was not merged into the security branches because we don't consider RST attacks to be a threat to most users. Once we have finalized fixes for the RST and SYN vectors of the attack, we'll merge those changes, but only to 5-stable and 4-stable. (If you feel that those changes should be merged to the security branches, please tell me AFTER the fixes go in, not now - I don't need the distraction.) Mike "Silby" Silbersack