From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 12:52:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AFF31065670 for ; Tue, 25 Nov 2008 12:52:40 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 84B958FC08 for ; Tue, 25 Nov 2008 12:52:39 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mAPCpsNW084335; Tue, 25 Nov 2008 23:51:55 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 25 Nov 2008 23:51:54 +1100 (EST) From: Ian Smith To: =?ISO-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <0A92AEEC-5AF2-4DB7-9ACD-855731E168C6@anduin.net> Message-ID: <20081125232938.C43853@sola.nimnet.asn.au> References: <49299876.4020702@thelostparadise.com> <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> <492B26B9.505@thedarkside.nl> <0A92AEEC-5AF2-4DB7-9ACD-855731E168C6@anduin.net> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1843294442-1227617514=:43853" Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 12:52:40 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1843294442-1227617514=:43853 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Mon, 24 Nov 2008, Eirik Øverby wrote: > On Nov 24, 2008, at 23:12, Pieter de Boer wrote: [..] > > > Results for port 8585: > > > IP (tos 0x0, ttl 59, id 44156, offset 0, flags [DF], proto: TCP (6), > > > length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum 0xf765 > > > (correct), 1324215952:1324215952(0) win 16384 > > 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 4070158112 0> > > > IP (tos 0x0, ttl 63, id 34488, offset 0, flags [DF], proto: TCP (6), > > > length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum 0x52ef > > > (correct), 0:0(0) ack 1324215953 win 0 > > > I can't tell what's going on here, except I wouldn't have expected a > > > reply at all to the second one at least, and maybe not even the first. > > > However, I don't have enough experience to tell if nmap is doing the > > > "right thing" here at all. [..] > > The strictest firewall configuration would be to have everything filtered > > except the ports you actually use. Those ports are either NATted to the > > back-end system or handled by the firewall itself (in case you want that > > functionality). From a security perspective, simply dropping incoming > > traffic is better than sending back RST's. In pf this is the default. > > That is correct, however in this case I do 1:1 and no pf on the target host > (it is in a DMZ). I ran the scan on this system out of curiosity only, > however as stated above this problem is far from unique to this particular > system. > > Thanks for your input, i'll keep trying to reproduce this.. Perhaps off to the side, but I wonder if net.inet.tcp.blackhole may be relevant? Here tcpdump was showing RSTs back to attempted connections to unused ports, despite these being dropped on ingress by the firewall, which I thought was unnecessarily informative :) # net.inet.tcp.blackhole: Do not send RST when dropping refused connections net.inet.tcp.blackhole=1 fixed that here. Caveats: that's on a 5.5-STABLE box using ipfw to drop such connections. I'd been surprised to see those RSTs too .. cheers, Ian --0-1843294442-1227617514=:43853--