Date: Wed, 31 Oct 2007 23:39:32 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: Matus Harvan <mharvan@inf.ethz.ch> Cc: freebsd-net@FreeBSD.org, Jeremie Le Hen <jeremie@le-hen.org> Subject: Re: UDP catchall Message-ID: <20071031223932.GD805@obiwan.tataz.chchile.org> In-Reply-To: <20071031012104.GG2564@styx.ethz.ch> References: <20070909201837.GA18107@inf.ethz.ch> <20071026154057.GG1049@styx.ethz.ch> <4722AEB3.1010208@FreeBSD.org> <20071029150424.GA68594@lor.one-eyed-alien.net> <4726395B.8080905@FreeBSD.org> <20071030200410.GJ78526@obiwan.tataz.chchile.org> <20071031012104.GG2564@styx.ethz.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Matus, On Wed, Oct 31, 2007 at 02:21:04AM +0100, Matus Harvan wrote: > On Tue, Oct 30, 2007 at 09:04:11PM +0100, Jeremie Le Hen wrote: > > I can think of a possible implementation of mtund(8) without kernel > > patching. The next pf(4) import from OpenBSD will likely allow to log > > to some particular pflog(4) interface (instead of the default pflog0). > > > > It will then be possible to create a couple of rules matching one or > > more ranges of ports and logging to, say, pflog1. Reading on the > > latter, mtund(8) will immediately open a socket bound to the > > corresponding port. This is a kind of port knocking. Thanks to TCP > > retransmission algorithm or mtunc(1)'s cleverness in case of UDP socket, > > the second packet should hit mtund(8). > > > > One downside is that it requires a bunch of configuration in pf.conf(5), > > so it may not be as straightforward to set up as one may have expected. > > > > I don't know TCP internals, it may affect TCP slow start or have some > > other minor drawbacks. But hey, we're talking about bypassing firewall > > :-)... > > If an RST packet is generated in response to the first TCP SYN packet, > then the firewall, which we're trying to pass, might decide that the > port in question is closed and delete/modify the state for the TCP > connection. If the RST packet hits the sender of the SYN packet then > there might be no retransmission as the sender would think the TCP > port is closed. Yes, sorry. When I was writing this email I had in mind we need to use the blackhole functionnality but I forgot to mention it. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071031223932.GD805>