From owner-freebsd-security@FreeBSD.ORG Sun Jul 3 01:01:37 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D13F116B294; Sun, 3 Jul 2005 01:01:25 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id A039A44AFF; Sun, 3 Jul 2005 00:50:25 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 7B0715DE18; Sat, 2 Jul 2005 17:08:11 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id 490F85C98B for ; Mon, 28 Feb 2005 08:26:29 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 0350155FBB; Mon, 28 Feb 2005 16:26:29 +0000 (GMT) (envelope-from owner-freebsd-arch@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 1EC5A16A4D6; Mon, 28 Feb 2005 16:26:28 +0000 (GMT) Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F20EE16A4CE for ; Mon, 28 Feb 2005 16:26:23 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id ED66143D39 for ; Mon, 28 Feb 2005 16:26:20 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 57449 invoked by uid 0); 28 Feb 2005 16:17:03 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.99.7) by mail.freebsd.org.cn with SMTP; 28 Feb 2005 16:17:03 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 1CF591321B9; Tue, 1 Mar 2005 00:26:00 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67934-04; Tue, 1 Mar 2005 00:25:48 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 1C369135C87; Tue, 1 Mar 2005 00:25:48 +0800 (CST) From: Xin LI To: freebsd-arch@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: <20050228162548.GA57140@frontfree.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.3-RELEASE-p2 FreeBSD 5.3-RELEASE-p2 #15: Wed Dec 15 10:43:16 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-arch@freebsd.org Errors-To: owner-freebsd-arch@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on elvis.mu.org X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.2 X-Spam-Level: Cc: Subject: bind() on 127.0.0.1 in jail: bound to the outside address? X-BeenThere: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 01:01:39 -0000 X-Original-Date: Tue, 1 Mar 2005 00:25:48 +0800 X-List-Received-Date: Sun, 03 Jul 2005 01:01:39 -0000 --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear folks, It seems that doing bind() inside a jail (whose IP address is an outside address), will result in some wierd behavior, that the actual bind is done on the outside address. For example, binding to 127.0.0.1:6666 inside a jail addressed 192.168.1.1, will finally result in a bind to 192.168.1.1:6666. With this in mind, it is possible that some formerly secure configuration fail in jail environment. It seems that our implementation will forward every loopback connection to the outside address. A simple hack to work around this issue might be to modify the individual bind procedures to treat prison case with loopback address, but I'm not sure if a true solution can solve the issue with minimum code change and code complexity. Your ideas are highly appreciated! Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCI0YM/cVsHxFZiIoRAnqIAJ9POX6OwQUb9k8jOQcNmdyEanmutwCeLQaA rxIUQwv4OU3t2ziOu5defsQ= =li2c -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- From owner-freebsd-security@FreeBSD.ORG Sun Jul 3 02:14:10 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FB3D16AB9D for ; Sun, 3 Jul 2005 02:13:39 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id A44C844077 for ; Sun, 3 Jul 2005 02:03:50 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (localhost.csail.mit.edu [127.0.0.1]) by khavrinen.csail.mit.edu (8.13.1/8.13.1) with ESMTP id j6323m7v086458 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Sat, 2 Jul 2005 22:03:49 -0400 (EDT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: (from wollman@localhost) by khavrinen.csail.mit.edu (8.13.1/8.13.1/Submit) id j6323muU086455; Sat, 2 Jul 2005 22:03:48 -0400 (EDT) (envelope-from wollman) From: Garrett Wollman MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17095.18308.135102.939517@khavrinen.csail.mit.edu> Date: Sat, 2 Jul 2005 22:03:48 -0400 To: Jesper Wallin In-Reply-To: <42C70FED.8080003@hackunite.net> References: <42C70FED.8080003@hackunite.net> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-1.6 (khavrinen.csail.mit.edu [127.0.0.1]); Sat, 02 Jul 2005 22:03:49 -0400 (EDT) X-Virus-Scanned: ClamAV 0.85.1/964/Sat Jul 2 18:49:11 2005 on khavrinen.csail.mit.edu X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=5.0 tests=none version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on khavrinen.csail.mit.edu X-Mailman-Approved-At: Sun, 03 Jul 2005 13:11:10 +0000 Cc: freebsd-security@FreeBSD.ORG Subject: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2005 02:14:10 -0000 < said: > First of all, I know that not dropping SYN/FIN isn't really a big deal, it > just makes no sense. But since it doesn't make any sense, I don't see > the reason why not to discard them. Perhaps because you are under the erroneous impression that such packets are nonsensical. -GAWollman From owner-freebsd-security@FreeBSD.ORG Mon Jul 4 00:53:39 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACD5416A41C for ; Mon, 4 Jul 2005 00:53:39 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65CA243D45 for ; Mon, 4 Jul 2005 00:53:39 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 2C7BB6192; Mon, 4 Jul 2005 02:53:34 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id 1853C6191; Mon, 4 Jul 2005 02:53:34 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id 0D52633D38; Mon, 4 Jul 2005 02:53:34 +0200 (CEST) To: Jesper Wallin References: <42C70FED.8080003@hackunite.net> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Mon, 04 Jul 2005 02:53:33 +0200 In-Reply-To: <42C70FED.8080003@hackunite.net> (Jesper Wallin's message of "Sun, 03 Jul 2005 00:06:37 +0200") Message-ID: <86fyuvv1bm.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.2/5.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: freebsd-security@freebsd.org Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 00:53:39 -0000 Jesper Wallin writes: > First of all, I know that not dropping SYN/FIN isn't really a big deal, it > just makes no sense. But since it doesn't make any sense, I don't see > the reason why not to discard them. It is not invalid for a TCP segment to have both SYN and FIN set. See for instance RFC 1644. > I'm running pf on FreeBSD 5.4-RELEASE-p3 and I scrub any traffic. I've > read some other posts on google and as far as I can tell, clearly invalid > packets (like packets with SYN/RST set) is discared while scrub simply > remove the FIN bit on packets with SYN/FIN. It shouldn't, at least not unconditionally. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jul 4 11:16:50 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A84F16A41C for ; Mon, 4 Jul 2005 11:16:50 +0000 (GMT) (envelope-from michael.schuh@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09F1D43D4C for ; Mon, 4 Jul 2005 11:16:49 +0000 (GMT) (envelope-from michael.schuh@gmail.com) Received: by nproxy.gmail.com with SMTP id g2so151678nfe for ; Mon, 04 Jul 2005 04:16:48 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=n4SGkTprcSweDmrl9V92Q5c/JKfmpI2ybjcuQqBfNd0SaY4AjW71XOY2QAcGM2mF2gRYs47Q069Su5NUyUrJJkKGNGPHOrzxYwBn87qwsCiJyA05xDt+VWombmQhRvBvFXTV3emR2ZiaWV5Es0l4mbLF/xjd8j6nLNpMG6/Qvtg= Received: by 10.48.240.16 with SMTP id n16mr105398nfh; Mon, 04 Jul 2005 04:16:48 -0700 (PDT) Received: by 10.48.244.20 with HTTP; Mon, 4 Jul 2005 04:16:48 -0700 (PDT) Message-ID: <1dbad315050704041679890bb7@mail.gmail.com> Date: Mon, 4 Jul 2005 13:16:48 +0200 From: Michael Schuh To: delphij@frontfree.net, freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: Re: bind() on 127.0.0.1 in jail: bound to the outside address? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Michael Schuh List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 11:16:50 -0000 Hello, in Jails you cannot bound any application to the 127.0.0.1, you ccan always bound only to the jail-ip. If you setup sshd in jail (or an other way to get a shell in this jail) so= =20 you can make the ifconfig -a so that you can see you have only the outbound address 192.168.1.1 ( the jail-ip) to bind services to that address. jou can not have more then one 127.0.0.1, because this address is viewable in the Host enviroment, but you can try to setting up 127.0.0.2 as second ipdadress of the lo-device and get these the jail, but you loose then the other ip ( i think, be not s= ure). try to set the second ip-address in rc.conf of the jail. best regards michael From owner-freebsd-security@FreeBSD.ORG Sun Jul 3 21:56:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C93516A41C for ; Sun, 3 Jul 2005 21:56:48 +0000 (GMT) (envelope-from jesper@ifconfig.se) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id C263943D49 for ; Sun, 3 Jul 2005 21:56:47 +0000 (GMT) (envelope-from jesper@ifconfig.se) Received: from [213.112.198.211] ([213.112.198.211] [213.112.198.211]) by mxfep01.bredband.com with ESMTP id <20050703215645.LZDG24612.mxfep01.bredband.com@[213.112.198.211]>; Sun, 3 Jul 2005 23:56:45 +0200 Message-ID: <42C85F17.4050202@ifconfig.se> Date: Sun, 03 Jul 2005 23:56:39 +0200 From: Jesper Wallin User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Garrett Wollman References: <42C70FED.8080003@hackunite.net> <17095.18308.135102.939517@khavrinen.csail.mit.edu> In-Reply-To: <17095.18308.135102.939517@khavrinen.csail.mit.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 04 Jul 2005 14:07:57 +0000 Cc: freebsd-security@freebsd.org Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2005 21:56:48 -0000 Garrett Wollman wrote: >< said: > > > >>First of all, I know that not dropping SYN/FIN isn't really a big deal, it >>just makes no sense. But since it doesn't make any sense, I don't see >>the reason why not to discard them. >> >> > >Perhaps because you are under the erroneous impression that such >packets are nonsensical. > >-GAWollman > That might be the case yeah.. Yet, if I have TCP_DROP_SYNFIN in my kernel and sysctrl net.inet.tcp.drop_synfin set to 1, shouldn't it drop all SYN/FIN packets no matter how my firewall is configured? Best regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Mon Jul 4 01:59:43 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1945A16A41C for ; Mon, 4 Jul 2005 01:59:43 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id C895543D4C for ; Mon, 4 Jul 2005 01:59:42 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (localhost.csail.mit.edu [127.0.0.1]) by khavrinen.csail.mit.edu (8.13.1/8.13.1) with ESMTP id j641xc33062052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Sun, 3 Jul 2005 21:59:38 -0400 (EDT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: (from wollman@localhost) by khavrinen.csail.mit.edu (8.13.1/8.13.1/Submit) id j641xbiK062049; Sun, 3 Jul 2005 21:59:37 -0400 (EDT) (envelope-from wollman) From: Garrett Wollman MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <17096.38921.588487.576918@khavrinen.csail.mit.edu> Date: Sun, 3 Jul 2005 21:59:37 -0400 To: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) In-Reply-To: <86fyuvv1bm.fsf@xps.des.no> References: <42C70FED.8080003@hackunite.net> <86fyuvv1bm.fsf@xps.des.no> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-1.6 (khavrinen.csail.mit.edu [127.0.0.1]); Sun, 03 Jul 2005 21:59:39 -0400 (EDT) X-Virus-Scanned: ClamAV 0.85.1/965/Sun Jul 3 15:23:29 2005 on khavrinen.csail.mit.edu X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=5.0 tests=none version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on khavrinen.csail.mit.edu X-Mailman-Approved-At: Mon, 04 Jul 2005 14:07:57 +0000 Cc: freebsd-security@FreeBSD.ORG, Jesper Wallin Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 01:59:43 -0000 < It is not invalid for a TCP segment to have both SYN and FIN set. Se= e > for instance RFC 1644. RFC 793 is perhaps the better reference, followed by RFC 1025. -GAWollman From owner-freebsd-security@FreeBSD.ORG Tue Jul 5 14:28:59 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7622B16A41C for ; Tue, 5 Jul 2005 14:28:59 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E2F243D4C for ; Tue, 5 Jul 2005 14:28:58 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id j65ESlOw001526; Wed, 6 Jul 2005 00:28:47 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id j65ESjJu001522; Wed, 6 Jul 2005 00:28:45 +1000 (EST) From: Darren Reed Message-Id: <200507051428.j65ESjJu001522@caligula.anu.edu.au> To: wollman@csail.mit.edu (Garrett Wollman) Date: Wed, 6 Jul 2005 00:28:45 +1000 (Australia/ACT) In-Reply-To: <17096.38921.588487.576918@khavrinen.csail.mit.edu> from "Garrett Wollman" at Jul 03, 2005 09:59:37 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: =?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?= , Jesper Wallin , freebsd-security@freebsd.org Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 14:28:59 -0000 In some mail from Garrett Wollman, sie said: > > < > > It is not invalid for a TCP segment to have both SYN and FIN set. See > > for instance RFC 1644. > > RFC 793 is perhaps the better reference, followed by RFC 1025. No, you're wrong on this. Packets for TCP with SYN + FIN set are valid under T/TCP. T/TCP is documented under RFC 1644. To claim that these, earlier, documents render it ... "dead" is to argue that SACK and all other TCP enhancements since also fall into that bucket. Very few people use T/TCP, although I believe FreeBSD is the only one of the BSDs that has done anything serious with it. pf is wrong to unconditionally clear the FIN flag. So there are a number of options here: - fix pf to not remove the FIN flag in FreeBSD - don't use T/TCP - don't use scrub in pf - don't use pf I think this is a bug in the scrub implementation and should be fixed. Darren From owner-freebsd-security@FreeBSD.ORG Tue Jul 5 15:10:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52B4A16A41C for ; Tue, 5 Jul 2005 15:10:58 +0000 (GMT) (envelope-from rcoleman@criticalmagic.com) Received: from saturn.criticalmagic.com (saturn.criticalmagic.com [69.61.68.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26A0343D4C for ; Tue, 5 Jul 2005 15:10:57 +0000 (GMT) (envelope-from rcoleman@criticalmagic.com) Received: from [10.40.30.162] (delta.ciphertrust.com [216.235.158.34]) by saturn.criticalmagic.com (Postfix) with ESMTP id B4C9E3BD57; Tue, 5 Jul 2005 11:10:51 -0400 (EDT) Message-ID: <42CAA33D.9080505@criticalmagic.com> Date: Tue, 05 Jul 2005 11:11:57 -0400 From: Richard Coleman Organization: Critical Magic User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Darren Reed References: <200507051428.j65ESjJu001522@caligula.anu.edu.au> In-Reply-To: <200507051428.j65ESjJu001522@caligula.anu.edu.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Garrett Wollman , Jesper Wallin , =?ISO-8859-1?Q?Dag-Erling_?= =?ISO-8859-1?Q?Sm=F8rgrav?= Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 15:10:58 -0000 Darren Reed wrote: > No, you're wrong on this. > > Packets for TCP with SYN + FIN set are valid under T/TCP. > T/TCP is documented under RFC 1644. To claim that these, earlier, > documents render it ... "dead" is to argue that SACK and all other > TCP enhancements since also fall into that bucket. > > Very few people use T/TCP, although I believe FreeBSD is the only > one of the BSDs that has done anything serious with it. pf is wrong > to unconditionally clear the FIN flag. So there are a number of > options here: > - fix pf to not remove the FIN flag in FreeBSD > - don't use T/TCP > - don't use scrub in pf > - don't use pf > > I think this is a bug in the scrub implementation and should be > fixed. > > Darren 1. I thought that T/TCP was being removed from FreeBSD (already happened?). 2. It's trivial to predict Theo's response to this. 3. Since T/TCP is rare, there is little motivation to alter scrub to function differently than OpenBSD with respect to these packets. If someone really needs this, there are plenty of alternatives. But more importantly, the original question has been lost. The original question was what should the various firewalls do when the kernel has been compiled with TCP_DROP_SYNFIN. Regardless of whether those packets are valid or not, a person may have reason to compile this feature into the kernel. So, should the firewalls acts differently if this kernel option is used? Richard Coleman rcoleman@criticalmagic.com From owner-freebsd-security@FreeBSD.ORG Tue Jul 5 15:17:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46F0116A41C for ; Tue, 5 Jul 2005 15:17:22 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99AD743D49 for ; Tue, 5 Jul 2005 15:17:21 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mail.hackunite.net ([213.112.198.142] [213.112.198.142]) by mxfep02.bredband.com with ESMTP id <20050705151719.BLHV21194.mxfep02.bredband.com@mail.hackunite.net>; Tue, 5 Jul 2005 17:17:19 +0200 Received: from [213.112.198.211] (c-d3c670d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.198.211]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.hackunite.net (Postfix) with ESMTP id 9E2B660CE; Tue, 5 Jul 2005 17:17:28 +0200 (CEST) Message-ID: <42CAA478.7010806@hackunite.net> Date: Tue, 05 Jul 2005 17:17:12 +0200 From: Jesper Wallin User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Darren Reed References: <200507051428.j65ESjJu001522@caligula.anu.edu.au> In-Reply-To: <200507051428.j65ESjJu001522@caligula.anu.edu.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at mail.hackunite.net Cc: freebsd-security@freebsd.org Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 15:17:22 -0000 Darren Reed wrote: >In some mail from Garrett Wollman, sie said: > > >><> >> >> >>>It is not invalid for a TCP segment to have both SYN and FIN set. See >>>for instance RFC 1644. >>> >>> >>RFC 793 is perhaps the better reference, followed by RFC 1025. >> >> > >No, you're wrong on this. > >Packets for TCP with SYN + FIN set are valid under T/TCP. >T/TCP is documented under RFC 1644. To claim that these, earlier, >documents render it ... "dead" is to argue that SACK and all other >TCP enhancements since also fall into that bucket. > >Very few people use T/TCP, although I believe FreeBSD is the only >one of the BSDs that has done anything serious with it. pf is wrong >to unconditionally clear the FIN flag. So there are a number of >options here: >- fix pf to not remove the FIN flag in FreeBSD >- don't use T/TCP >- don't use scrub in pf >- don't use pf > >I think this is a bug in the scrub implementation and should be >fixed. > >Darren > Like mentioned in my first mail, I don't know anything about C programming, but I just wanted to say that my patch seems to work and scrub will now drop packets with both SYN/FIN bits set. Yet, I doubt it's far from optimized or good to do it that way and I would love if someone could rewrite/look at it. Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c? Sure, it might be bad/good/whatever dropping packets with SYN/FIN, but if you decide to do it and add the TCP_DROP_SYNFIN option, then it should drop them even if you use pf, ipf or ipfw.. or is it just me having wrong expectations? Best regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Wed Jul 6 03:56:56 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BCEA16A41C for ; Wed, 6 Jul 2005 03:56:56 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDF2A43D48 for ; Wed, 6 Jul 2005 03:56:55 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id j663ueOw011745; Wed, 6 Jul 2005 13:56:40 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id j663ucHE011742; Wed, 6 Jul 2005 13:56:38 +1000 (EST) From: Darren Reed Message-Id: <200507060356.j663ucHE011742@caligula.anu.edu.au> To: rcoleman@criticalmagic.com (Richard Coleman) Date: Wed, 6 Jul 2005 13:56:38 +1000 (Australia/ACT) In-Reply-To: <42CAA33D.9080505@criticalmagic.com> from "Richard Coleman" at Jul 05, 2005 11:11:57 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Garrett Wollman , Jesper Wallin , Darren Reed , =?ISO-8859-1?Q?Dag-Erling_?= =?ISO-8859-1?Q?Sm=F8rgrav?= Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 03:56:56 -0000 In some mail from Richard Coleman, sie said: > 1. I thought that T/TCP was being removed from FreeBSD (already happened?). > 2. It's trivial to predict Theo's response to this. > 3. Since T/TCP is rare, there is little motivation to alter scrub to > function differently than OpenBSD with respect to these packets. If > someone really needs this, there are plenty of alternatives. I didn't know about (1) but I'd agree with (2) and (3). > But more importantly, the original question has been lost. The original > question was what should the various firewalls do when the kernel has > been compiled with TCP_DROP_SYNFIN. Regardless of whether those packets > are valid or not, a person may have reason to compile this feature into > the kernel. So, should the firewalls acts differently if this kernel > option is used? IMHO, No. Darren From owner-freebsd-security@FreeBSD.ORG Wed Jul 6 04:23:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FC6416A41C for ; Wed, 6 Jul 2005 04:23:51 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from smtp1.skyinet.net (smtp1.skyinet.net [202.78.97.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA42E43D49 for ; Wed, 6 Jul 2005 04:23:50 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from fooler (fooler.ilo.skyinet.net [202.78.118.66]) by smtp1.skyinet.net (Postfix) with SMTP id 550D8582E7; Wed, 6 Jul 2005 12:23:45 +0800 (PHT) Message-ID: <0fca01c581e2$8866d600$42764eca@ilo.skyinet.net> From: "fooler" To: "Darren Reed" , "Richard Coleman" References: <200507060356.j663ucHE011742@caligula.anu.edu.au> Date: Wed, 6 Jul 2005 12:23:59 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Cc: freebsd-security@freebsd.org, =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , Darren Reed , Jesper Wallin , Garrett Wollman Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 04:23:51 -0000 ----- Original Message ----- From: "Darren Reed" To: "Richard Coleman" Cc: ; "Garrett Wollman" ; "Jesper Wallin" ; "Darren Reed" ; "Dag-Erling Smørgrav" Sent: Wednesday, July 06, 2005 11:56 AM Subject: Re: packets with syn/fin vs pf_norm.c > In some mail from Richard Coleman, sie said: > > 1. I thought that T/TCP was being removed from FreeBSD (already happened?). > > 2. It's trivial to predict Theo's response to this. > > 3. Since T/TCP is rare, there is little motivation to alter scrub to > > function differently than OpenBSD with respect to these packets. If > > someone really needs this, there are plenty of alternatives. > > I didn't know about (1) but I'd agree with (2) and (3). even if T/TCP was remove, sending SYN + DATA + FIN is still legal... fooler. From owner-freebsd-security@FreeBSD.ORG Wed Jul 6 05:39:19 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A080016A41C for ; Wed, 6 Jul 2005 05:39:19 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A2C543D45 for ; Wed, 6 Jul 2005 05:39:19 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id F30256194; Wed, 6 Jul 2005 07:39:13 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id E22FF6193; Wed, 6 Jul 2005 07:39:13 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id D19F833CE6; Wed, 6 Jul 2005 07:39:13 +0200 (CEST) To: Jesper Wallin References: <200507051428.j65ESjJu001522@caligula.anu.edu.au> <42CAA478.7010806@hackunite.net> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Wed, 06 Jul 2005 07:39:13 +0200 In-Reply-To: <42CAA478.7010806@hackunite.net> (Jesper Wallin's message of "Tue, 05 Jul 2005 17:17:12 +0200") Message-ID: <86br5gpk72.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.2/5.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: freebsd-security@freebsd.org, Darren Reed Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 05:39:19 -0000 Jesper Wallin writes: > Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c? Because there's no reason for it to be. > Sure, it might be bad/good/whatever dropping packets with SYN/FIN, > but if you decide to do it and add the TCP_DROP_SYNFIN option, then > it should drop them even if you use pf, ipf or ipfw.. No. If you want to drop SYN+FIN frames that pass *through* you (as opposed to those sent *to* you), it's easy enough to add a firewall rule. The TCP_DROP_SYNFIN option should be removed; it has long outlived its original purpose (which was to prevent nmap identification of IRC servers which didn't run ipfw for performance reasons, back in the 3.0 days) DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Jul 6 06:11:29 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C52D16A421 for ; Wed, 6 Jul 2005 06:11:29 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from smtp1.skyinet.net (smtp1.skyinet.net [202.78.97.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB49A43D53 for ; Wed, 6 Jul 2005 06:11:28 +0000 (GMT) (envelope-from fooler@skyinet.net) Received: from fooler (fooler.ilo.skyinet.net [202.78.118.66]) by smtp1.skyinet.net (Postfix) with SMTP id C1CFD58417; Wed, 6 Jul 2005 14:11:25 +0800 (PHT) Message-ID: <107901c581f1$933e4400$42764eca@ilo.skyinet.net> From: "fooler" To: "Jesper Wallin" , =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <200507051428.j65ESjJu001522@caligula.anu.edu.au><42CAA478.7010806@hackunite.net> <86br5gpk72.fsf@xps.des.no> Date: Wed, 6 Jul 2005 14:11:40 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Cc: freebsd-security@freebsd.org, Darren Reed Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 06:11:29 -0000 ----- Original Message ----- From: "Dag-Erling Smørgrav" To: "Jesper Wallin" Cc: ; "Darren Reed" Sent: Wednesday, July 06, 2005 1:39 PM Subject: Re: packets with syn/fin vs pf_norm.c > The TCP_DROP_SYNFIN option should be removed; it has long outlived its > original purpose (which was to prevent nmap identification of IRC > servers which didn't run ipfw for performance reasons, back in the 3.0 > days) i vote not to remove because it just an option there whether you want it or not for added protection for OS fingerprinting... standard tcp is the most rampant used than t/tcp and most (or all) tcp modules are not combining syn + fin flag in a tcp datagram for normal tcp transaction... fooler. From owner-freebsd-security@FreeBSD.ORG Tue Jul 5 20:35:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E667016A41C for ; Tue, 5 Jul 2005 20:35:37 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CFE843D48 for ; Tue, 5 Jul 2005 20:35:37 +0000 (GMT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (localhost.csail.mit.edu [127.0.0.1]) by khavrinen.csail.mit.edu (8.13.1/8.13.1) with ESMTP id j65KZT6Y087553 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Tue, 5 Jul 2005 16:35:30 -0400 (EDT) (envelope-from wollman@khavrinen.csail.mit.edu) Received: (from wollman@localhost) by khavrinen.csail.mit.edu (8.13.1/8.13.1/Submit) id j65KZTwM087550; Tue, 5 Jul 2005 16:35:29 -0400 (EDT) (envelope-from wollman) From: Garrett Wollman MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17098.61201.244682.110397@khavrinen.csail.mit.edu> Date: Tue, 5 Jul 2005 16:35:29 -0400 To: Darren Reed In-Reply-To: <200507051428.j65ESjJu001522@caligula.anu.edu.au> References: <17096.38921.588487.576918@khavrinen.csail.mit.edu> <200507051428.j65ESjJu001522@caligula.anu.edu.au> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-1.6 (khavrinen.csail.mit.edu [127.0.0.1]); Tue, 05 Jul 2005 16:35:30 -0400 (EDT) X-Virus-Scanned: ClamAV 0.85.1/967/Mon Jul 4 17:36:05 2005 on khavrinen.csail.mit.edu X-Virus-Status: Clean X-Spam-Status: No, score=0.6 required=5.0 tests=J_CHICKENPOX_33 version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on khavrinen.csail.mit.edu X-Mailman-Approved-At: Wed, 06 Jul 2005 12:49:10 +0000 Cc: freebsd-security@freebsd.org Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 20:35:38 -0000 < said: > No, you're wrong on this. > Packets for TCP with SYN + FIN set are valid under T/TCP. Packets for TCP with SYN + FIN set are valid under TCP, period. See RFC 793 page 66, where it describes the processing of segments with the SYN bit set: The connection state should be changed to SYN-RECEIVED. Note that any other incoming control or data (combined with SYN) will be processed in the SYN-RECEIVED state, but processing of SYN and ACK should not be repeated. Later, on page 75, the spec discusses the handling of FIN bits: eighth, check the FIN bit, Do not process the FIN if the state is CLOSED, LISTEN or SYN-SENT since the SEG.SEQ cannot be validated; drop the segment and return. [We are in SYN-RECEIVED at this point so this graf does not apply.] If the FIN bit is set, signal the user "connection closing" and return any pending RECEIVEs with same message, advance RCV.NXT over the FIN, and send an acknowledgment for the FIN. Note that FIN implies PUSH for any segment text not yet delivered to the user. SYN-RECEIVED STATE ESTABLISHED STATE Enter the CLOSE-WAIT state. See also section 3.4 on page 30. The only thing that RFC 1644 adds to this is the ability to short-circuit the three-way handshake by means of persistent sequence numbers. In short, SYN+FIN segments are legitimate *whether or not* one is using T/TCP (and one should not be at this point in time, as the T/TCP protocol is known to be flawed). Note that the specification does not require a receiver-TCP to buffer data (including the FIN bit) received on SYN, and FreeBSD in the current implementation does not do so unless RFC 1644 is in use. What PF is doing is not obviously wrong, since it is what FreeBSD's TCP would normally do anyway. -GAWollman From owner-freebsd-security@FreeBSD.ORG Wed Jul 6 14:08:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C9D216A41C; Wed, 6 Jul 2005 14:08:48 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B899543D49; Wed, 6 Jul 2005 14:08:47 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j66E8l5D081889; Wed, 6 Jul 2005 14:08:47 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j66E8les081887; Wed, 6 Jul 2005 14:08:47 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jul 2005 14:08:47 GMT Message-Id: <200507061408.j66E8les081887@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:16.zlib X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 14:08:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:16.zlib Security Advisory The FreeBSD Project Topic: Buffer overflow in zlib Category: core Module: libz Announced: 2005-07-06 Credits: Tavis Ormandy Affects: FreeBSD 5.3, FreeBSD 5.4 Corrected: 2005-07-06 14:01:11 UTC (RELENG_5, 5.4-STABLE) 2005-07-06 14:01:30 UTC (RELENG_5_4, 5.4-RELEASE-p4) 2005-07-06 14:01:52 UTC (RELENG_5_3, 5.3-RELEASE-p18) CVE Name: CAN-2005-2096 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background zlib is a compression library used by numerous applications to provide data compression/decompression routines. II. Problem Description An error in the handling of corrupt compressed data streams can result in a buffer being overflowed. III. Impact By carefully crafting a corrupt compressed data stream, an attacker can overwrite data structures in a zlib-using application. This may cause the application to halt, causing a denial of service; or it may result in the attacker gaining elevated privileges. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5.3 and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:16/zlib.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:16/zlib.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libz/ # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/lib/libz/inftrees.c 1.4.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.13 src/sys/conf/newvers.sh 1.62.2.18.2.9 src/lib/libz/inftrees.c 1.4.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.21 src/sys/conf/newvers.sh 1.62.2.15.2.23 src/lib/libz/inftrees.c 1.4.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCy+TYFdaIBMps37IRAqB2AJ4j+wdqj1zJJZdTjskufo7rrsHhcwCgi0SZ wXRUgGbgl/DtNzyvHi7t/bc= =anun -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 7 05:38:43 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2264A16A41C for ; Thu, 7 Jul 2005 05:38:43 +0000 (GMT) (envelope-from kolicz@EUnet.yu) Received: from smtpclu-3.eunet.yu (smtpclu-3.eunet.yu [194.247.192.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 848B243D46 for ; Thu, 7 Jul 2005 05:38:41 +0000 (GMT) (envelope-from kolicz@EUnet.yu) Received: from faust.net (P-12.3.EUnet.yu [213.240.12.3]) by smtpclu-3.eunet.yu (8.12.11/8.12.11) with ESMTP id j675cb6c008296 for ; Thu, 7 Jul 2005 07:38:38 +0200 Received: by faust.net (Postfix, from userid 1001) id 889394206; Thu, 7 Jul 2005 07:37:54 +0200 (CEST) Date: Thu, 7 Jul 2005 07:37:54 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20050707053754.GA725@faust.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Virus-Scan: EUnet-AVAS-Milter X-AVAS-Virus-Status: clean X-Spam-Checker: EUnet-AVAS-Milter X-AVAS-Spam-Score: -1.0 X-AVAS-Spam-Symbols: AWL BAYES_30 Subject: pgp status X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 05:38:43 -0000 Dear all! I'd like to know if something changed for pgp263i on amd64. In ports, archs recommended are i386 and alpha. Has someone used gpg-idea port (with idea and rsa) to circum- vent pgp <-> gpg missmetch? Best regards Zoran From owner-freebsd-security@FreeBSD.ORG Thu Jul 7 05:44:19 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0279016A41C for ; Thu, 7 Jul 2005 05:44:19 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF4D743D46 for ; Thu, 7 Jul 2005 05:44:18 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B91AB51351; Thu, 7 Jul 2005 01:44:17 -0400 (EDT) Date: Thu, 7 Jul 2005 01:44:17 -0400 From: Kris Kennaway To: Zoran Kolic Message-ID: <20050707054417.GA19281@xor.obsecurity.org> References: <20050707053754.GA725@faust.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline In-Reply-To: <20050707053754.GA725@faust.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: pgp status X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 05:44:19 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jul 07, 2005 at 07:37:54AM +0200, Zoran Kolic wrote: > Dear all! > I'd like to know if something > changed for pgp263i on amd64. > In ports, archs recommended are > i386 and alpha. > Has someone used gpg-idea port > (with idea and rsa) to circum- > vent pgp <-> gpg missmetch? What mismatch? They interoperate just fine. Kris --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCzMExWry0BWjoQKURAhSwAJ0ZtfCbZclY/xaM6dt/XwdDAcmt7gCdGP5s DuyvfcTOo027hsVNmHE33QY= =tCbQ -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 7 08:41:50 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8382F16A41C for ; Thu, 7 Jul 2005 08:41:50 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39E8943D48 for ; Thu, 7 Jul 2005 08:41:50 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IJ900L3H1GK8E70@l-daemon> for freebsd-security@freebsd.org; Thu, 07 Jul 2005 02:41:08 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IJ900GVV1GKA820@pd3mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 07 Jul 2005 02:41:08 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IJ90091K1GJCF@l-daemon> for freebsd-security@freebsd.org; Thu, 07 Jul 2005 02:41:08 -0600 (MDT) Date: Thu, 07 Jul 2005 01:40:20 -0700 From: Colin Percival In-reply-to: <200507061408.j66E8les081887@freefall.freebsd.org> To: freebsd-security@freebsd.org Message-id: <42CCEA74.7050609@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.91.0.0 References: <200507061408.j66E8les081887@freefall.freebsd.org> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050406) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:16.zlib X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 08:41:50 -0000 FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-05:16.zlib Security Advisory > The FreeBSD Project > Affects: FreeBSD 5.3, FreeBSD 5.4 A few people have asked about this, so to make it clear: This issue affects FreeBSD 5.3 and FreeBSD 5.4 ONLY. FreeBSD 4.x is not affected. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Jul 7 17:08:16 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72D6316A41C for ; Thu, 7 Jul 2005 17:08:16 +0000 (GMT) (envelope-from lofi@freebsd.org) Received: from mail-in-01.arcor-online.net (mail-in-01.arcor-online.net [151.189.21.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id C849743D46 for ; Thu, 7 Jul 2005 17:08:15 +0000 (GMT) (envelope-from lofi@freebsd.org) Received: from mail-in-04-z2.arcor-online.net (mail-in-04-z2.arcor-online.net [151.189.8.16]) by mail-in-01.arcor-online.net (Postfix) with ESMTP id 94D881B002; Thu, 7 Jul 2005 19:08:14 +0200 (CEST) Received: from mail-in-03.arcor-online.net (mail-in-05.arcor-online.net [151.189.21.45]) by mail-in-04-z2.arcor-online.net (Postfix) with ESMTP id D5607F48E4; Thu, 7 Jul 2005 19:08:13 +0200 (CEST) Received: from lofi.dyndns.org (dsl-213-023-197-051.arcor-ip.net [213.23.197.51]) by mail-in-03.arcor-online.net (Postfix) with ESMTP id 18302384B5; Thu, 7 Jul 2005 19:08:14 +0200 (CEST) Received: from kiste.my.domain (lofi@kiste.my.domain [192.168.8.4]) (authenticated bits=0) by lofi.dyndns.org (8.13.3/8.13.3) with ESMTP id j67H8BO7031714 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 7 Jul 2005 19:08:12 +0200 (CEST) (envelope-from lofi@freebsd.org) From: Michael Nottebrock To: freebsd-security@freebsd.org Date: Thu, 7 Jul 2005 19:08:05 +0200 User-Agent: KMail/1.8.1 References: <20050707053754.GA725@faust.net> In-Reply-To: <20050707053754.GA725@faust.net> X-Face: =Ym$`&q\+S2X$4`X%x%6"L4>Y,$]<":'L%c9"#7#`2tb&E&wsN31on!N\)3BD[g<=?utf-8?q?=2EjnfV=5B=0A=093=23?=>XchLK,o; >bD>c:]^; :>0>vyZ.X[,63GW`&M>}nYnr]-Fp``,[[@lJ!QL|sfW!s)=?utf-8?q?A2!*=0A=09vNkB/=7CL-?=>&QdSbQg X-Virus-Scanned: by amavisd-new Cc: Zoran Kolic Subject: Re: pgp status X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 17:08:16 -0000 --nextPart1309136.UkbzfJLHi3 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday, 7. July 2005 07:37, Zoran Kolic wrote: > Has someone used gpg-idea port > (with idea and rsa) to circum- > vent pgp <-> gpg missmetch? Yes. There are a few things that you need pay attention with gnupg and idea: 1.) You need to compile the gnupg-idea port with MAKE_IDEA defined (for=20 example in /etc/make.conf), otherwise it will just install rsa (which is=20 broken with current versions of gnupg to boot). 2.) After installation, you need to edit your gnupg configuration file=20 (default ~/.gnupg/gpg.conf) and add a line load-extension /usr/local/lib/gnupg/idea =2D-=20 ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --nextPart1309136.UkbzfJLHi3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCzWF6Xhc68WspdLARAjm4AKCZnARn4y9kLlVTY4L1FLoVxkaanQCfQWy+ URBE73Kg5IKOZq0PDqxLvKk= =wyC1 -----END PGP SIGNATURE----- --nextPart1309136.UkbzfJLHi3--