Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 17 Dec 2001 17:43:14 -0800
From:      "Crist J . Clark" <cjc@FreeBSD.ORG>
To:        endrju <endrju@mail.lv>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw+syn
Message-ID:  <20011217174314.G19170@blossom.cjclark.org>
In-Reply-To: <20011214144153.A3473@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Fri, Dec 14, 2001 at 02:41:53PM -0800
References:  <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> <20011213131120.A21111@mail.slc.edu> <016001c18402$bd795110$8241949f@TRDC> <001601c18403$373ff030$5e3bad86@boredom> <005d01c184a4$a6aeefb0$8241949f@TRDC> <20011214144153.A3473@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 14, 2001 at 02:41:53PM -0800, Crist J . Clark wrote:
> On Fri, Dec 14, 2001 at 03:38:44PM +0200, endrju wrote:
> > ...# ipfw -a list
> > 00100   0     0 allow ip from any to any frag
> > 00200 419 44610 allow ip from any to any
> > 65535 884 92423 deny ip from any to any
> > 
> > but anyway: 
> > 
> > su-2.04# nmap -sS -f aaa.bbb.ccc.ddd
> > Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ )
> > sendto in send_syn_fragz: Permission denied
> 
> It's clear that ipfw(8) is blocking these. Your command line will work
> fine on a FreeBSD machine without ipfw(8) running. I'll see if I can
> figure out exactly where it is dropping these.

The problem here is that ipfw(8) will treat these packets as
"bogusfrags." One of the first things that the firewall does is try to
pullup the packet's IP and TCP header. The IP fragments that nmap(1)
produces with the -f option do not contain the full TCP header in the
initial packet. This causes the pullup to fail.

Dropping packets like this is desired and valid. There is really no
use for them, but trying to evade firewalls. I can't think of a
legitimate reason for their existence. I believe the bug is that this
behavior is not documented or logged. ipfw(8) talks about rule -1 and
what happens to packets with a offset of 1. These packets have an
offset of 2, but are dropped for similar reasons. The logging needs to
be fixed for these.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011217174314.G19170>