From owner-freebsd-pf@FreeBSD.ORG Wed Jan 28 13:55:11 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 48DC43E6 for ; Wed, 28 Jan 2015 13:55:11 +0000 (UTC) Received: from krichy.tvnetwork.hu (unknown [IPv6:2a01:be00:0:2::10]) by mx1.freebsd.org (Postfix) with ESMTP id 0E88A6D0 for ; Wed, 28 Jan 2015 13:55:10 +0000 (UTC) Received: by krichy.tvnetwork.hu (Postfix, from userid 1000) id AB61210B0; Wed, 28 Jan 2015 14:55:08 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by krichy.tvnetwork.hu (Postfix) with ESMTP id AA79310AF; Wed, 28 Jan 2015 14:55:08 +0100 (CET) Date: Wed, 28 Jan 2015 14:55:08 +0100 (CET) From: krichy@tvnetwork.hu To: misc@openbsd.org Subject: pf synproxy Message-ID: User-Agent: Alpine 2.11 (DEB 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 13:55:11 -0000 Dear all, I've setup a pf firewall with synproxy. I've ran a simulated DDoS for a service behind pf, everything went fine, until I've found that rarely a tcp connection got established to the service behind pf. The reason was (due to a configuraion problem) that the firewall actually was connected to the Internet, and it continued the tcp handshake. As the spoofed source addresses sometimes were real alive systems on the Internet, the SYN+ACK packet got to them. Mainly they replied with an RST packet, but some replaied with RST+ACK. And in pf's source code I found that the synproxy code only checks for the ACK flag, and if set, it declares the connection established. This way, one could find some machines with such TCP implementations, and use them to actually DDoS the target service. Opinions? Kojedzinszky Richard Euronet Magyarorszag Informatika Zrt.