From owner-freebsd-security@FreeBSD.ORG  Tue Jul  5 14:28:59 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7622B16A41C
	for <freebsd-security@freebsd.org>;
	Tue,  5 Jul 2005 14:28:59 +0000 (GMT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0E2F243D4C
	for <freebsd-security@freebsd.org>;
	Tue,  5 Jul 2005 14:28:58 +0000 (GMT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: from caligula.anu.edu.au (localhost [127.0.0.1])
	by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id j65ESlOw001526;
	Wed, 6 Jul 2005 00:28:47 +1000 (EST)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id j65ESjJu001522;
	Wed, 6 Jul 2005 00:28:45 +1000 (EST)
From: Darren Reed <avalon@caligula.anu.edu.au>
Message-Id: <200507051428.j65ESjJu001522@caligula.anu.edu.au>
To: wollman@csail.mit.edu (Garrett Wollman)
Date: Wed, 6 Jul 2005 00:28:45 +1000 (Australia/ACT)
In-Reply-To: <17096.38921.588487.576918@khavrinen.csail.mit.edu> from "Garrett
	Wollman" at Jul 03, 2005 09:59:37 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Cc: =?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?= <des@des.no>,
	Jesper Wallin <jesper@www.hackunite.net>, freebsd-security@freebsd.org
Subject: Re: packets with syn/fin vs pf_norm.c
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2005 14:28:59 -0000

In some mail from Garrett Wollman, sie said:
> 
> <<On Mon, 04 Jul 2005 02:53:33 +0200, des@des.no (Dag-Erling Smørgrav) said:
> 
> > It is not invalid for a TCP segment to have both SYN and FIN set.  See
> > for instance RFC 1644.
> 
> RFC 793 is perhaps the better reference, followed by RFC 1025.

No, you're wrong on this.

Packets for TCP with SYN + FIN set are valid under T/TCP.
T/TCP is documented under RFC 1644.  To claim that these, earlier,
documents render it ... "dead" is to argue that SACK and all other
TCP enhancements since also fall into that bucket.

Very few people use T/TCP, although I believe FreeBSD is the only
one of the BSDs that has done anything serious with it.  pf is wrong
to unconditionally clear the FIN flag.  So there are a number of
options here:
- fix pf to not remove the FIN flag in FreeBSD
- don't use T/TCP
- don't use scrub in pf
- don't use pf

I think this is a bug in the scrub implementation and should be
fixed.

Darren