From owner-freebsd-pf@FreeBSD.ORG  Fri Jul  1 14:34:27 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@FreeBSD.org
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C15E616A41C;
	Fri,  1 Jul 2005 14:34:27 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 33B0043D1D;
	Fri,  1 Jul 2005 14:34:27 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j61EYSJv006651
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Fri, 1 Jul 2005 16:34:28 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j61EYR4I014791;
	Fri, 1 Jul 2005 16:34:27 +0200 (MEST)
Date: Fri, 1 Jul 2005 16:34:27 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: "Simon L. Nielsen" <simon@FreeBSD.org>
Message-ID: <20050701143427.GT26761@insomnia.benzedrine.cx>
References: <200506292155.j5TLt4cE008219@freefall.freebsd.org>
	<787dcac205063007324170b6e4@mail.gmail.com>
	<20050701110105.GS26761@insomnia.benzedrine.cx>
	<20050701111506.GB45821@eddie.nitro.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050701111506.GB45821@eddie.nitro.dk>
User-Agent: Mutt/1.5.6i
Cc: freebsd-pf@FreeBSD.org
Subject: Re: Fwd: [FreeBSD-Announce] FreeBSD Security Advisory
	FreeBSD-SA-05:15.tcp
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2005 14:34:27 -0000

On Fri, Jul 01, 2005 at 01:15:07PM +0200, Simon L. Nielsen wrote:

> Note that there is also another vulnerability (addressed in the same
> advisory) here where there FreeBSD TCP stack accepted a SYN packet for
> an established connection.
> 
> I would assume that pf's packet scrubbing would handle that and not
> let a SYN packet through for an established connection?

I'm not sure, on first glance, it doesn't look like scrubbing removes
the SYN or drops the packet, but I will check if this can be added.

But pf will ensure that only packets with sequence numbers within narrow
windows will pass, so it would have to be the real peer (or someone
along the path between the peers, who can sniff) that can deliver such a
SYN. Everyone else can't guess the right numbers, and their packets will
get blocked by pf.

Daniel