From owner-freebsd-net Mon Dec 18 11:20:57 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 11:20:53 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 9BBA637B698 for ; Mon, 18 Dec 2000 11:20:52 -0800 (PST) Received: (qmail 63319 invoked by uid 1000); 18 Dec 2000 19:20:51 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Dec 2000 19:20:51 -0000 Date: Mon, 18 Dec 2000 13:20:51 -0600 (CST) From: Mike Silbersack To: Jesper Skriver Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h In-Reply-To: <20001218182600.C1856@skriver.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Dec 2000, Jesper Skriver wrote: > - Check for SYN-SENT state removed I was thinking about this point, and I think there are two compelling reasons to keep it enabled only for the SYN_SENT state. First, the cases in which connections are in progress to a port which is in the process of being blocked for the first time are rare. The slight chance that honoring such messages will allow connections to be falsely reset outweighs the small gain of killing connections over paths that have suddenly been firewalled. Second, if I understand correctly, this code may be able to kill IPSEC connections too. (?) If so, it would allow a simple packet sniffer and spoofer to defeat all the fancy crypto in use. (If someone's more familiar with IPSEC and this patch could clarify, it would be appreciated.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message