Date: Sat, 31 May 2014 17:57:33 +0400 From: Eygene Ryabinkin <rea@freebsd.org> To: hiren panchasara <hiren.panchasara@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression] Message-ID: <ph%2BPGoiPgwzwRbK5wOtQXtmPzL4@TeaO8toyk2ItetETzQNIE5HO4Jg> In-Reply-To: <CALCpEUEG2H=L_OC7VQq%2Bx-xs5L16mzs3Q91Do%2Bu-2orGRvWAYQ@mail.gmail.com> References: <201405222101.s4ML122N061489@freefall.freebsd.org> <%2BUw/Ss5bElti5gir%2B%2Bydy1GLu7M@dHhGgwofm7uNfL6/X5%2BbGIkDUYs> <CALCpEUEG2H=L_OC7VQq%2Bx-xs5L16mzs3Q91Do%2Bu-2orGRvWAYQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Fri, May 30, 2014 at 10:58:14AM -0700, hiren panchasara wrote: > > clearing FIN bit for SYN packets was > > the standard behaviour of pf since approximately at least 10 years, > > http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/= pf_norm.c?view=3Dmarkup&pathrev=3D126258#l1242 >=20 > I am curious, what's the rationale for this behavior? Why does PF > clear the FIN bit for such a packet being a firewall? My understanding is that it is done to conceal specific reaction of the host's TCP stack that pf's "scrub" rule protects from the outer world scanning. --=20 Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ] --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iL4EABEKAGYFAlOJ381fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDgyRkUwNkJDRDQ5N0MwREU0OUVDNEZGMDE2 QUY5RUFFODE1MkVDRkIACgkQFq+eroFS7Pte6wEAkiGss/VwccxO8UM0ppH7RzX1 4JxYLE8Z6ArUUoq07fUA/1KgTR9KGOYfkNP8uXd4VXAGUuRq49QRiQHiiHH5zu84 =POwG -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ph%2BPGoiPgwzwRbK5wOtQXtmPzL4>