From owner-freebsd-net@FreeBSD.ORG  Tue Nov  8 19:23:48 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 76B6316A41F
	for <net@freebsd.org>; Tue,  8 Nov 2005 19:23:48 +0000 (GMT)
	(envelope-from silby@silby.com)
Received: from relay03.pair.com (relay03.pair.com [209.68.5.17])
	by mx1.FreeBSD.org (Postfix) with SMTP id BFD7243D5A
	for <net@freebsd.org>; Tue,  8 Nov 2005 19:23:46 +0000 (GMT)
	(envelope-from silby@silby.com)
Received: (qmail 23793 invoked from network); 8 Nov 2005 19:23:44 -0000
Received: from unknown (HELO localhost) (unknown)
	by unknown with SMTP; 8 Nov 2005 19:23:44 -0000
X-pair-Authenticated: 209.68.2.70
Date: Tue, 8 Nov 2005 13:23:43 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Lars Eggert <lars.eggert@netlab.nec.de>
In-Reply-To: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
Message-ID: <20051108130801.Y36544@odysseus.silby.com>
References: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: net@freebsd.org
Subject: Re: TCP RST handling in 6.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2005 19:23:48 -0000


On Tue, 8 Nov 2005, Lars Eggert wrote:

> Thus, I'd like to suggest that the default for net.inet.tcp.insecure_rst be 
> zero for now. AFAIK, any other TCP mod came disabled be default in the past, 
> too.
>
> Lars

I'm open to discussing the change.  I plan to revisit that and the SYN 
causing a connection reset issue after eurobsdcon.

However, I'm open to clubbing you over the head for not saying anything 
throughout the entire 6.0 release cycle and requesting the change AFTER 
THE RELEASE HAS SHIPPED.  Since 6.0 shipped with this feature on, I don't 
think we should flip the setting back to off until a good reason has been 
given.

While we're on the subject of potential problems, I'd like to throw out an 
idea.  What would people think of a "log perhaps somewhat in vain" option 
(turned on by default) that logged unusual looking packets to 
/var/log/ip.log - but did it in a ratelimited fashion, so that it would 
not be possible for attackers to chew up disk space.  This would of 
course get written to during an attack, but it would also log legitimate 
cases, such as where a RST blocked by this setting came in.  This could 
also be used to tell if future changes cause additional incompatibilities.

Such a feature wouldn't cause performance problems, but I could see there 
being privacy concerns.  If the log was only root readable, what would 
people think?  Remember that I'm talking only about logging "odd" packets, 
and only their TCP/IP flags and fields, not the data contents.

Mike "Silby" Silbersack