Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 9 Jun 2001 11:19:37 +0700
From:      Igor Podlesny <poige@morning.ru>
To:        Ryan <ryanpek@swbell.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: IPFILTER and flags S/SA
Message-ID:  <19592974009.20010609111937@morning.ru>
In-Reply-To: <000601c0f08f$566f53e0$01000001@mhx800>
References:  <9C643FE251025246BF8CE3ADFA3765954873@hydrogen.tmolp.com> <3B215D6A.9E968BAE@globalstar.com> <000601c0f08f$566f53e0$01000001@mhx800>
next in thread | previous in thread | raw e-mail | index | archive | help 

> from the IPF howto
> -
> Some examples use flags S/SA instead of flags S.
> flags S actually equates to flags S/AUPRFS and
> matches against only the SYN packet out of all six
> possible flags, while flags S/SA will allow pack-
> ets that may or may not have the URG, PSH, FIN, or
> RST flags set. Some protocols demand the URG or
> PSH flags, and S/SAFR would be a better choice for
> these, however we feel that it is less secure to
> blindly use S/SA when it isn't required. But it's
> your firewall.
> -
> I was wondering if any1 could maybe explain more in detail why S/SA is
> unsafe?

English  isn't  my  native  language,  but  it  seems  to  me that the
quotation  from IPF-howto does answer your question clearly. so I just
expand it to you:

S/SA means check for S looking at S and A, other flags don't matter
     so it will select packets with SYN set, even if it also has RST
     set.

In order to avoid such behavior, they suggest using S/SAFR which would
mean  the  next:  Check  if packet has SYN set, and none of (ACK, FIN,
RST).

> example:
> pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags
> S keep state
> pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags
> S/SA keep state

> ryanpek@swbell.net


> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



-- 
 Igor http://poige.nm.ru
 mailto:poige@morning.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19592974009.20010609111937>