From owner-freebsd-net@FreeBSD.ORG Wed Oct 31 01:21:19 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCA5316A421; Wed, 31 Oct 2007 01:21:19 +0000 (UTC) (envelope-from matus.harvan@inf.ethz.ch) Received: from xsmtp1.ethz.ch (xsmtp1.ethz.ch [82.130.70.13]) by mx1.freebsd.org (Postfix) with ESMTP id 46D8F13C481; Wed, 31 Oct 2007 01:21:19 +0000 (UTC) (envelope-from matus.harvan@inf.ethz.ch) Received: from xfe0.d.ethz.ch ([82.130.124.40]) by xsmtp1.ethz.ch with Microsoft SMTPSVC(6.0.3790.3959); Wed, 31 Oct 2007 02:21:04 +0100 Received: from styx.inf.ethz.ch ([77.56.100.193]) by xfe0.d.ethz.ch over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 31 Oct 2007 02:21:04 +0100 Received: by styx.inf.ethz.ch (Postfix, from userid 1001) id 36FB349AC8F; Wed, 31 Oct 2007 02:21:04 +0100 (CET) Date: Wed, 31 Oct 2007 02:21:04 +0100 From: Matus Harvan To: Jeremie Le Hen Message-ID: <20071031012104.GG2564@styx.ethz.ch> References: <20070909201837.GA18107@inf.ethz.ch> <20071026154057.GG1049@styx.ethz.ch> <4722AEB3.1010208@FreeBSD.org> <20071029150424.GA68594@lor.one-eyed-alien.net> <4726395B.8080905@FreeBSD.org> <20071030200410.GJ78526@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3xoW37o/FfUZJwQG" Content-Disposition: inline In-Reply-To: <20071030200410.GJ78526@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.16 (2007-06-09) X-OriginalArrivalTime: 31 Oct 2007 01:21:04.0526 (UTC) FILETIME=[4E5602E0:01C81B5C] Cc: freebsd-net@FreeBSD.org, Brooks Davis , "Bruce M. Simpson" , Max Laier Subject: Re: UDP catchall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 01:21:19 -0000 --3xoW37o/FfUZJwQG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 30, 2007 at 09:04:11PM +0100, Jeremie Le Hen wrote: > I can think of a possible implementation of mtund(8) without kernel > patching. The next pf(4) import from OpenBSD will likely allow to log > to some particular pflog(4) interface (instead of the default pflog0). >=20 > It will then be possible to create a couple of rules matching one or > more ranges of ports and logging to, say, pflog1. Reading on the > latter, mtund(8) will immediately open a socket bound to the > corresponding port. This is a kind of port knocking. Thanks to TCP > retransmission algorithm or mtunc(1)'s cleverness in case of UDP socket, > the second packet should hit mtund(8). >=20 > One downside is that it requires a bunch of configuration in pf.conf(5), > so it may not be as straightforward to set up as one may have expected. >=20 > I don't know TCP internals, it may affect TCP slow start or have some > other minor drawbacks. But hey, we're talking about bypassing firewall > :-)... If an RST packet is generated in response to the first TCP SYN packet, then the firewall, which we're trying to pass, might decide that the port in question is closed and delete/modify the state for the TCP connection. If the RST packet hits the sender of the SYN packet then there might be no retransmission as the sender would think the TCP port is closed. Matus --3xoW37o/FfUZJwQG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHJ9iA43LQWDWf0QIRAgJhAKCa4+PVcSHApX+vQN5Re3i4kxXPUACeJzRh CVWv7D531RdVJMJXECCh+0A= =/0Kw -----END PGP SIGNATURE----- --3xoW37o/FfUZJwQG--