From owner-freebsd-security@FreeBSD.ORG Wed Jul 6 05:39:19 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A080016A41C for ; Wed, 6 Jul 2005 05:39:19 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A2C543D45 for ; Wed, 6 Jul 2005 05:39:19 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id F30256194; Wed, 6 Jul 2005 07:39:13 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id E22FF6193; Wed, 6 Jul 2005 07:39:13 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id D19F833CE6; Wed, 6 Jul 2005 07:39:13 +0200 (CEST) To: Jesper Wallin References: <200507051428.j65ESjJu001522@caligula.anu.edu.au> <42CAA478.7010806@hackunite.net> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Wed, 06 Jul 2005 07:39:13 +0200 In-Reply-To: <42CAA478.7010806@hackunite.net> (Jesper Wallin's message of "Tue, 05 Jul 2005 17:17:12 +0200") Message-ID: <86br5gpk72.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.2/5.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: freebsd-security@freebsd.org, Darren Reed Subject: Re: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 05:39:19 -0000 Jesper Wallin writes: > Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c? Because there's no reason for it to be. > Sure, it might be bad/good/whatever dropping packets with SYN/FIN, > but if you decide to do it and add the TCP_DROP_SYNFIN option, then > it should drop them even if you use pf, ipf or ipfw.. No. If you want to drop SYN+FIN frames that pass *through* you (as opposed to those sent *to* you), it's easy enough to add a firewall rule. The TCP_DROP_SYNFIN option should be removed; it has long outlived its original purpose (which was to prevent nmap identification of IRC servers which didn't run ipfw for performance reasons, back in the 3.0 days) DES --=20 Dag-Erling Sm=F8rgrav - des@des.no