Date: Sun, 17 Dec 2000 10:24:12 +0100 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Kris Kennaway <kris@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <17340.977045052@critter> In-Reply-To: Your message of "Sun, 17 Dec 2000 01:20:07 PST." <20001217012007.A18038@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20001217012007.A18038@citusc.usc.edu>, Kris Kennaway writes: > >On Sat, Dec 16, 2000 at 11:42:07AM -0800, Poul-Henning Kamp wrote: >> phk 2000/12/16 11:42:07 PST >>=20 >> Modified files: >> sys/netinet ip_icmp.c tcp_subr.c tcp_var.h=20 >> Log: >> We currently does not react to ICMP administratively prohibited >> messages send by routers when they deny our traffic, this causes >> a timeout when trying to connect to TCP ports/services on a remote >> host, which is blocked by routers or firewalls. > >This sounds like a security hole since ICMP messages don't have a TCP >sequence number meaning they can be trivially spoofed - am I wrong? There was some discussion on the list, and the result was that the default is this behaviour is "off" for now. Since we only react to this in "SYN-SENT" I think the window of opportunity is rather small in the first place... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17340.977045052>