From owner-freebsd-security Fri Jun 8 20:19:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id B274637B405 for ; Fri, 8 Jun 2001 20:19:10 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 ([195.161.98.236]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id LAA76066; Sat, 9 Jun 2001 11:18:59 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Sat, 9 Jun 2001 11:19:37 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <19592974009.20010609111937@morning.ru> To: Ryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFILTER and flags S/SA In-Reply-To: <000601c0f08f$566f53e0$01000001@mhx800> References: <9C643FE251025246BF8CE3ADFA3765954873@hydrogen.tmolp.com> <3B215D6A.9E968BAE@globalstar.com> <000601c0f08f$566f53e0$01000001@mhx800> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > from the IPF howto > - > Some examples use flags S/SA instead of flags S. > flags S actually equates to flags S/AUPRFS and > matches against only the SYN packet out of all six > possible flags, while flags S/SA will allow pack- > ets that may or may not have the URG, PSH, FIN, or > RST flags set. Some protocols demand the URG or > PSH flags, and S/SAFR would be a better choice for > these, however we feel that it is less secure to > blindly use S/SA when it isn't required. But it's > your firewall. > - > I was wondering if any1 could maybe explain more in detail why S/SA is > unsafe? English isn't my native language, but it seems to me that the quotation from IPF-howto does answer your question clearly. so I just expand it to you: S/SA means check for S looking at S and A, other flags don't matter so it will select packets with SYN set, even if it also has RST set. In order to avoid such behavior, they suggest using S/SAFR which would mean the next: Check if packet has SYN set, and none of (ACK, FIN, RST). > example: > pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags > S keep state > pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags > S/SA keep state > ryanpek@swbell.net > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor http://poige.nm.ru mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message