Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Feb 2002 11:55:33 -0800
From:      Luigi Rizzo <rizzo@icir.org>
To:        "Aaron D. Gifford" <agifford@infowest.com>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: Bug in stateful code?
Message-ID:  <20020217115533.A14365@iguana.icir.org>
In-Reply-To: <20020216014335.AE41B213CA@ns1.infowest.com>
References:  <20020215225647.DBAB521CE8@ns1.infowest.com> <3C6DA100.3080108@tenebras.com> <20020216014335.AE41B213CA@ns1.infowest.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
I do not think your proposal is correct (the context is in
your other posting). The firewall provides the basic mechanism,
much like a CPU provides machine instructions.
Your ruleset (your program) makes use of that. If you write the
wrong program it's your business, not the cpu's business. The
latter may trap in some cases (_invalid_ operands, e.g.
division by 0), but not all of them (e.g. divide by 10 when you
really wanted to divide by 0x10), and given that TCP packets may
get lost or go through some other path, flagging these events is
not ipfw business.

	cheers
	luigi

On Fri, Feb 15, 2002 at 06:43:35PM -0700, Aaron D. Gifford wrote:
> Heh, I MEANT to say:
> 
>  default:
>             if (q->state == (TH_SYN | TH_ACK)) {
>                 /*
>                  * Both forward SYN and ACK packets have been seen, without
>                  * a reverse SYN+ACK packet in between, likely due to either
>                  * a buggy rule set, or bogus traffic.
>                  */
>                 if (fw_verbose) {
>                     log(LOG_SECURITY | LOG_NOTICE,
>                         "ipfw: Invalid stateful TCP rule (from %d): Middle "
>                         "packet missing from three-way TCP handshake.",
>                         q->rule->fw_number);
>                     return NULL;        /* Drop it as if not matched */
>                 }
>             }
> 
> There.  I don't know why I was calling the third packet a SYN+ACK in the 
> comments.  The original also was missing some parenthesis, and used an 
> incorrect field name (q->parent->fw_number instead of q-.rule->fw_number).
> 
> Sorry.  Comes from leaping before looking, I supppose.
> 
> Aaron out.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020217115533.A14365>