From owner-freebsd-security Fri Jun 8 19:56:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id 698B437B406 for ; Fri, 8 Jun 2001 19:56:24 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GEN009AI6OWK4@mta5.rcsntx.swbell.net> for freebsd-security@FreeBSD.ORG; Fri, 8 Jun 2001 21:53:21 -0500 (CDT) Date: Fri, 08 Jun 2001 21:53:17 -0500 From: Ryan Subject: IPFILTER and flags S/SA To: freebsd-security@FreeBSD.ORG Message-id: <000601c0f08f$566f53e0$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <9C643FE251025246BF8CE3ADFA3765954873@hydrogen.tmolp.com> <3B215D6A.9E968BAE@globalstar.com> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org from the IPF howto - Some examples use flags S/SA instead of flags S. flags S actually equates to flags S/AUPRFS and matches against only the SYN packet out of all six possible flags, while flags S/SA will allow pack- ets that may or may not have the URG, PSH, FIN, or RST flags set. Some protocols demand the URG or PSH flags, and S/SAFR would be a better choice for these, however we feel that it is less secure to blindly use S/SA when it isn't required. But it's your firewall. - I was wondering if any1 could maybe explain more in detail why S/SA is unsafe? example: pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags S keep state pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags S/SA keep state ryanpek@swbell.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message