From owner-freebsd-net@FreeBSD.ORG Wed Oct 31 23:32:39 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A243016A421 for ; Wed, 31 Oct 2007 23:32:39 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix2-g20.free.fr (postfix2-g20.free.fr [212.27.60.43]) by mx1.freebsd.org (Postfix) with ESMTP id 2E39C13C48A for ; Wed, 31 Oct 2007 23:32:38 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by postfix2-g20.free.fr (Postfix) with ESMTP id 1F17C1D86B26 for ; Wed, 31 Oct 2007 21:39:51 +0100 (CET) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 7D7593F6188; Wed, 31 Oct 2007 23:40:18 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id 566543F6187; Wed, 31 Oct 2007 23:40:18 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id E44B89B497; Wed, 31 Oct 2007 22:39:32 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id DA4BA405B; Wed, 31 Oct 2007 23:39:32 +0100 (CET) Date: Wed, 31 Oct 2007 23:39:32 +0100 From: Jeremie Le Hen To: Matus Harvan Message-ID: <20071031223932.GD805@obiwan.tataz.chchile.org> References: <20070909201837.GA18107@inf.ethz.ch> <20071026154057.GG1049@styx.ethz.ch> <4722AEB3.1010208@FreeBSD.org> <20071029150424.GA68594@lor.one-eyed-alien.net> <4726395B.8080905@FreeBSD.org> <20071030200410.GJ78526@obiwan.tataz.chchile.org> <20071031012104.GG2564@styx.ethz.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071031012104.GG2564@styx.ethz.ch> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-net@FreeBSD.org, Jeremie Le Hen Subject: Re: UDP catchall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 23:32:39 -0000 Matus, On Wed, Oct 31, 2007 at 02:21:04AM +0100, Matus Harvan wrote: > On Tue, Oct 30, 2007 at 09:04:11PM +0100, Jeremie Le Hen wrote: > > I can think of a possible implementation of mtund(8) without kernel > > patching. The next pf(4) import from OpenBSD will likely allow to log > > to some particular pflog(4) interface (instead of the default pflog0). > > > > It will then be possible to create a couple of rules matching one or > > more ranges of ports and logging to, say, pflog1. Reading on the > > latter, mtund(8) will immediately open a socket bound to the > > corresponding port. This is a kind of port knocking. Thanks to TCP > > retransmission algorithm or mtunc(1)'s cleverness in case of UDP socket, > > the second packet should hit mtund(8). > > > > One downside is that it requires a bunch of configuration in pf.conf(5), > > so it may not be as straightforward to set up as one may have expected. > > > > I don't know TCP internals, it may affect TCP slow start or have some > > other minor drawbacks. But hey, we're talking about bypassing firewall > > :-)... > > If an RST packet is generated in response to the first TCP SYN packet, > then the firewall, which we're trying to pass, might decide that the > port in question is closed and delete/modify the state for the TCP > connection. If the RST packet hits the sender of the SYN packet then > there might be no retransmission as the sender would think the TCP > port is closed. Yes, sorry. When I was writing this email I had in mind we need to use the blackhole functionnality but I forgot to mention it. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >