From owner-freebsd-security Mon Dec 17 17:43:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id B1AA237B405 for ; Mon, 17 Dec 2001 17:43:18 -0800 (PST) Received: from dialup-209.247.139.120.dial1.sanjose1.level3.net ([209.247.139.120] helo=blossom.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16G9Ho-0003Dm-00; Mon, 17 Dec 2001 17:43:16 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBI1hEB20964; Mon, 17 Dec 2001 17:43:14 -0800 (PST) (envelope-from cjc) Date: Mon, 17 Dec 2001 17:43:14 -0800 From: "Crist J . Clark" To: endrju Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw+syn Message-ID: <20011217174314.G19170@blossom.cjclark.org> References: <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> <20011213131120.A21111@mail.slc.edu> <016001c18402$bd795110$8241949f@TRDC> <001601c18403$373ff030$5e3bad86@boredom> <005d01c184a4$a6aeefb0$8241949f@TRDC> <20011214144153.A3473@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011214144153.A3473@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Fri, Dec 14, 2001 at 02:41:53PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Dec 14, 2001 at 02:41:53PM -0800, Crist J . Clark wrote: > On Fri, Dec 14, 2001 at 03:38:44PM +0200, endrju wrote: > > ...# ipfw -a list > > 00100 0 0 allow ip from any to any frag > > 00200 419 44610 allow ip from any to any > > 65535 884 92423 deny ip from any to any > > > > but anyway: > > > > su-2.04# nmap -sS -f aaa.bbb.ccc.ddd > > Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ ) > > sendto in send_syn_fragz: Permission denied > > It's clear that ipfw(8) is blocking these. Your command line will work > fine on a FreeBSD machine without ipfw(8) running. I'll see if I can > figure out exactly where it is dropping these. The problem here is that ipfw(8) will treat these packets as "bogusfrags." One of the first things that the firewall does is try to pullup the packet's IP and TCP header. The IP fragments that nmap(1) produces with the -f option do not contain the full TCP header in the initial packet. This causes the pullup to fail. Dropping packets like this is desired and valid. There is really no use for them, but trying to evade firewalls. I can't think of a legitimate reason for their existence. I believe the bug is that this behavior is not documented or logged. ipfw(8) talks about rule -1 and what happens to packets with a offset of 1. These packets have an offset of 2, but are dropped for similar reasons. The logging needs to be fixed for these. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message