Date: Tue, 05 Jul 2005 17:17:12 +0200 From: Jesper Wallin <jesper@hackunite.net> To: Darren Reed <avalon@caligula.anu.edu.au> Cc: freebsd-security@freebsd.org Subject: Re: packets with syn/fin vs pf_norm.c Message-ID: <42CAA478.7010806@hackunite.net> In-Reply-To: <200507051428.j65ESjJu001522@caligula.anu.edu.au> References: <200507051428.j65ESjJu001522@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Darren Reed wrote: >In some mail from Garrett Wollman, sie said: > > >><<On Mon, 04 Jul 2005 02:53:33 +0200, des@des.no (Dag-Erling Smørgrav) said: >> >> >> >>>It is not invalid for a TCP segment to have both SYN and FIN set. See >>>for instance RFC 1644. >>> >>> >>RFC 793 is perhaps the better reference, followed by RFC 1025. >> >> > >No, you're wrong on this. > >Packets for TCP with SYN + FIN set are valid under T/TCP. >T/TCP is documented under RFC 1644. To claim that these, earlier, >documents render it ... "dead" is to argue that SACK and all other >TCP enhancements since also fall into that bucket. > >Very few people use T/TCP, although I believe FreeBSD is the only >one of the BSDs that has done anything serious with it. pf is wrong >to unconditionally clear the FIN flag. So there are a number of >options here: >- fix pf to not remove the FIN flag in FreeBSD >- don't use T/TCP >- don't use scrub in pf >- don't use pf > >I think this is a bug in the scrub implementation and should be >fixed. > >Darren > Like mentioned in my first mail, I don't know anything about C programming, but I just wanted to say that my patch seems to work and scrub will now drop packets with both SYN/FIN bits set. Yet, I doubt it's far from optimized or good to do it that way and I would love if someone could rewrite/look at it. Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c? Sure, it might be bad/good/whatever dropping packets with SYN/FIN, but if you decide to do it and add the TCP_DROP_SYNFIN option, then it should drop them even if you use pf, ipf or ipfw.. or is it just me having wrong expectations? Best regards, Jesper Wallin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42CAA478.7010806>