From owner-freebsd-security  Thu May 31  2:37:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13])
	by hub.freebsd.org (Postfix) with ESMTP id 8D84037B422
	for <freebsd-security@freebsd.org>; Thu, 31 May 2001 02:37:50 -0700 (PDT)
	(envelope-from lirandb@netvision.net.il)
Received: from a ([213.57.143.184])
	by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id MAA27648;
	Thu, 31 May 2001 12:37:46 +0300 (IDT)
Message-ID: <001801c0e9bd$c2b7f3a0$b88f39d5@a>
From: "Liran Dahan" <lirandb@netvision.net.il>
To: <freebsd-security@freebsd.org>
Cc: <art@pilikia.net>
References: <010f01c0e888$5ab3c120$b88f39d5@a><200105291052100670.246E525C@smtp><012601c0e88c$3e6efb20$b88f39d5@a> <200105301945280950.2B7D2CAF@smtp>
Subject: Re: Syn+Fin (Setup) And TCP RST
Date: Thu, 31 May 2001 12:37:58 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

There is no connectio Between net.inet.tcp.restict_rst=1 to ipfw, since ipfw
will send RST packets if i tell him EVEN if i have rst restricted in my
kernel.

Best Regards,

        Liran Dahan (lirandb@netvision.net.il)

----- Original Message -----
From: "Arthur W. Neilson III" <art@pilikia.net>
To: "Liran Dahan" <lirandb@netvision.net.il>
Sent: Thursday, May 31, 2001 7:45 AM
Subject: Re: Syn+Fin (Setup) And TCP RST


> it's not sending a RST because you told it not to.  The
> net.inet.tcp.restrict_rst = 1 makes the stack NOT send RSTs,
> it just drops the space held by the incoming segment and returns.
> generally speaking, enabling restrict_rst is a bad idea and should
> only be done if you're sure you need it (you're being attacked by SYN
flood).
>
> On 5/30/01 at 12:11 AM Liran Dahan wrote:
> >
> >Yes, you right, i noticed it just now, i've changed the variable
> >net.inet.tcp.restrict_rst to 1 and saw it took me ages till i got
> >Connection
> >timeout.. so what can be the problem.. why my firewall is not sending TCP
> >RST when im doing ipfw add reset tcp from any to any ?
> >
> >-Liran Dahan- (lirandb@netvision.net.il)
> >----- Original Message -----
> >From: "Arthur W. Neilson III" <art@pilikia.net>
> >To: "Liran Dahan" <lirandb@netvision.net.il>
> >Sent: Tuesday, May 29, 2001 10:52 PM
> >Subject: Re: Syn+Fin (Setup) And TCP RST
> >
> >
> >> adding these options to your kernel config merely compiles in
> >> the code to support these features.  In order to actually turn them
> >> on you have to set the variables in rc.conf to "YES" or turn them
> >> on via sysctl(1) ...
> >>
> >> # For the following two options, you need to have
> >> # TCP_DROP_SYNFIN and TCP_RESTRICT_RST
> >> # set in your kernel. Please refer to LINT for details.
> >> tcp_drop_synfin="NO"            # Set to YES to drop TCP w/SYN+FIN
> >>                                                   # NOTE: this violates
> >the TCP specification
> >> tcp_restrict_rst="NO"              # Set to YES to restrict emission of
> >RST
> >>
> >> On 5/29/01 at 11:43 PM Liran Dahan wrote:
> >> >
> >> >I've added those 2 options in my kernel long time ago:
> >> >options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN
> >> >options         TCP_RESTRICT_RST        #restrict emission of TCP RST
> >>
> >> --
> >>     __
> >>    /  )    _/_  It is a capital mistake to theorise before one has
data.
> >>   /--/ __  /    Insensibly one begins to twist facts to suit theories,
> >>  /  (_/ (_<__   Instead of theories to suit facts.
> >>                      -- Sherlock Holmes, "A Scandal in Bohemia"
> >>  Arthur W. Neilson III, WH7N - FISTS #7448
> >>  Bank of Hawaii Tech Support
> >>  http://www.pilikia.net
> >>  art@pilikia.net, aneilson@boh.com, wh7n@arrl.net
> >>
> >>
> >>
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
>
>
> --
>     __
>    /  )    _/_  It is a capital mistake to theorise before one has data.
>   /--/ __  /    Insensibly one begins to twist facts to suit theories,
>  /  (_/ (_<__   Instead of theories to suit facts.
>                      -- Sherlock Holmes, "A Scandal in Bohemia"
>  Arthur W. Neilson III, WH7N - FISTS #7448
>  Bank of Hawaii Tech Support
>  http://www.pilikia.net
>  art@pilikia.net, aneilson@boh.com, wh7n@arrl.net
>
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message