From owner-freebsd-security@FreeBSD.ORG Tue Jul 5 15:10:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52B4A16A41C for ; Tue, 5 Jul 2005 15:10:58 +0000 (GMT) (envelope-from rcoleman@criticalmagic.com) Received: from saturn.criticalmagic.com (saturn.criticalmagic.com [69.61.68.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26A0343D4C for ; Tue, 5 Jul 2005 15:10:57 +0000 (GMT) (envelope-from rcoleman@criticalmagic.com) Received: from [10.40.30.162] (delta.ciphertrust.com [216.235.158.34]) by saturn.criticalmagic.com (Postfix) with ESMTP id B4C9E3BD57; Tue, 5 Jul 2005 11:10:51 -0400 (EDT) Message-ID: <42CAA33D.9080505@criticalmagic.com> Date: Tue, 05 Jul 2005 11:11:57 -0400 From: Richard Coleman Organization: Critical Magic User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Darren Reed References: <200507051428.j65ESjJu001522@caligula.anu.edu.au> In-Reply-To: <200507051428.j65ESjJu001522@caligula.anu.edu.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Garrett Wollman , Jesper Wallin , =?ISO-8859-1?Q?Dag-Erling_?= =?ISO-8859-1?Q?Sm=F8rgrav?= Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 15:10:58 -0000 Darren Reed wrote: > No, you're wrong on this. > > Packets for TCP with SYN + FIN set are valid under T/TCP. > T/TCP is documented under RFC 1644. To claim that these, earlier, > documents render it ... "dead" is to argue that SACK and all other > TCP enhancements since also fall into that bucket. > > Very few people use T/TCP, although I believe FreeBSD is the only > one of the BSDs that has done anything serious with it. pf is wrong > to unconditionally clear the FIN flag. So there are a number of > options here: > - fix pf to not remove the FIN flag in FreeBSD > - don't use T/TCP > - don't use scrub in pf > - don't use pf > > I think this is a bug in the scrub implementation and should be > fixed. > > Darren 1. I thought that T/TCP was being removed from FreeBSD (already happened?). 2. It's trivial to predict Theo's response to this. 3. Since T/TCP is rare, there is little motivation to alter scrub to function differently than OpenBSD with respect to these packets. If someone really needs this, there are plenty of alternatives. But more importantly, the original question has been lost. The original question was what should the various firewalls do when the kernel has been compiled with TCP_DROP_SYNFIN. Regardless of whether those packets are valid or not, a person may have reason to compile this feature into the kernel. So, should the firewalls acts differently if this kernel option is used? Richard Coleman rcoleman@criticalmagic.com