From owner-freebsd-security@FreeBSD.ORG Tue Jul 5 15:17:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46F0116A41C for ; Tue, 5 Jul 2005 15:17:22 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99AD743D49 for ; Tue, 5 Jul 2005 15:17:21 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mail.hackunite.net ([213.112.198.142] [213.112.198.142]) by mxfep02.bredband.com with ESMTP id <20050705151719.BLHV21194.mxfep02.bredband.com@mail.hackunite.net>; Tue, 5 Jul 2005 17:17:19 +0200 Received: from [213.112.198.211] (c-d3c670d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.198.211]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.hackunite.net (Postfix) with ESMTP id 9E2B660CE; Tue, 5 Jul 2005 17:17:28 +0200 (CEST) Message-ID: <42CAA478.7010806@hackunite.net> Date: Tue, 05 Jul 2005 17:17:12 +0200 From: Jesper Wallin User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Darren Reed References: <200507051428.j65ESjJu001522@caligula.anu.edu.au> In-Reply-To: <200507051428.j65ESjJu001522@caligula.anu.edu.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at mail.hackunite.net Cc: freebsd-security@freebsd.org Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 15:17:22 -0000 Darren Reed wrote: >In some mail from Garrett Wollman, sie said: > > >><> >> >> >>>It is not invalid for a TCP segment to have both SYN and FIN set. See >>>for instance RFC 1644. >>> >>> >>RFC 793 is perhaps the better reference, followed by RFC 1025. >> >> > >No, you're wrong on this. > >Packets for TCP with SYN + FIN set are valid under T/TCP. >T/TCP is documented under RFC 1644. To claim that these, earlier, >documents render it ... "dead" is to argue that SACK and all other >TCP enhancements since also fall into that bucket. > >Very few people use T/TCP, although I believe FreeBSD is the only >one of the BSDs that has done anything serious with it. pf is wrong >to unconditionally clear the FIN flag. So there are a number of >options here: >- fix pf to not remove the FIN flag in FreeBSD >- don't use T/TCP >- don't use scrub in pf >- don't use pf > >I think this is a bug in the scrub implementation and should be >fixed. > >Darren > Like mentioned in my first mail, I don't know anything about C programming, but I just wanted to say that my patch seems to work and scrub will now drop packets with both SYN/FIN bits set. Yet, I doubt it's far from optimized or good to do it that way and I would love if someone could rewrite/look at it. Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c? Sure, it might be bad/good/whatever dropping packets with SYN/FIN, but if you decide to do it and add the TCP_DROP_SYNFIN option, then it should drop them even if you use pf, ipf or ipfw.. or is it just me having wrong expectations? Best regards, Jesper Wallin