From owner-freebsd-net@FreeBSD.ORG  Sat May 31 13:57:44 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4578CBA1
 for <freebsd-net@freebsd.org>; Sat, 31 May 2014 13:57:44 +0000 (UTC)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.233.71])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DB92C2B1E
 for <freebsd-net@freebsd.org>; Sat, 31 May 2014 13:57:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru;
 s=three; 
 h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date;
 bh=zWwEokbVXEFGaG/kWP9BLKNdC9DYeA0rVt+4pGVC/58=; 
 b=QuDJJ4fa5J8P50LUhZSoX17/rV4UMFsDFxqK+kFNYX5zUjmb5tvN8+7cmWyAqXPF1/dClFzPxuR/3RrBCdQgSbjZdLi4h9nucH4+H+8jpADHkWLfl4hKKyXZAVktJOxw3MJ+klzhg40MkQIkIJWQiVIy6GPO6diMjRgNOw4nUr0DtrCWeG06bLrplj9n9jFkPTWxvxTWU9xJLsLk1puTOhlwRmmSQCoB6gcmGIMWBPVmZFXHmR5u7nJyALgJZz0D66sV96vkU39CnUN38LZ6H2QgeRu+4pd+9fHIpsIUXqZfSmBjt/k/CiUMxRED1kcsrZh/XfvJy9W0Q1nzVSHskjabSHuV+kz2QaxogGj+7grBtqpQjEgj6u67MeLfgOYBsPAH0R6IPY5mwaOmInNJNy0S0igWpLKXo8Oe+74j4ur8mAXqoQx7ExaAokvNpj3V0MTBb1ykc3xQnOHLHN84LEokJq/abIp7sQwZP7pw7CSgO3FKWMpWDMPKp2G2jze241L8+wMMVXaDrUPzMu+1v/X6WAdr0RuG07KMUjCqqA5rqlqcYPkfNkc28lzI/ldB1XiI3O7zhLFG5urdPhB1d7B8Q54iJ98CPgZMJAJi+jWldunZsfmUBx/FB2G07CSGNRRju9mhNzatF4Of6q8t9j5epURYmwE4GyPYtrndISY=;
Received: from light.codelabs.ru ([83.149.9.41])
 by 0.mx.codelabs.ru with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
 id 1Wqjn2-0009Ix-9A; Sat, 31 May 2014 17:57:41 +0400
Date: Sat, 31 May 2014 17:57:33 +0400
From: Eygene Ryabinkin <rea@freebsd.org>
To: hiren panchasara <hiren.panchasara@gmail.com>
Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on
 FreeBSD 10+ [regression]
Message-ID: <ph+PGoiPgwzwRbK5wOtQXtmPzL4@TeaO8toyk2ItetETzQNIE5HO4Jg>
References: <201405222101.s4ML122N061489@freefall.freebsd.org>
 <+Uw/Ss5bElti5gir++ydy1GLu7M@dHhGgwofm7uNfL6/X5+bGIkDUYs>
 <CALCpEUEG2H=L_OC7VQq+x-xs5L16mzs3Q91Do+u-2orGRvWAYQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe"
Content-Disposition: inline
In-Reply-To: <CALCpEUEG2H=L_OC7VQq+x-xs5L16mzs3Q91Do+u-2orGRvWAYQ@mail.gmail.com>
Sender: rea@codelabs.ru
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 May 2014 13:57:44 -0000


--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Fri, May 30, 2014 at 10:58:14AM -0700, hiren panchasara wrote:
> > clearing FIN bit for SYN packets was
> > the standard behaviour of pf since approximately at least 10 years,
> >   http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/=
pf_norm.c?view=3Dmarkup&pathrev=3D126258#l1242
>=20
> I am curious, what's the rationale for this behavior? Why does PF
> clear the FIN bit for such a packet being a firewall?

My understanding is that it is done to conceal specific reaction of
the host's TCP stack that pf's "scrub" rule protects from the outer
world scanning.
--=20
Eygene Ryabinkin                                        ,,,^..^,,,
[ Life's unfair - but root password helps!           | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iL4EABEKAGYFAlOJ381fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDgyRkUwNkJDRDQ5N0MwREU0OUVDNEZGMDE2
QUY5RUFFODE1MkVDRkIACgkQFq+eroFS7Pte6wEAkiGss/VwccxO8UM0ppH7RzX1
4JxYLE8Z6ArUUoq07fUA/1KgTR9KGOYfkNP8uXd4VXAGUuRq49QRiQHiiHH5zu84
=POwG
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--