From owner-freebsd-current  Tue Aug 17  9:43:44 1999
Delivered-To: freebsd-current@freebsd.org
Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74])
	by hub.freebsd.org (Postfix) with ESMTP id DDF8A156F6
	for <current@freebsd.org>; Tue, 17 Aug 1999 09:43:39 -0700 (PDT)
	(envelope-from jdp@polstra.com)
Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13])
	by wall.polstra.com (8.9.3/8.9.1) with ESMTP id JAA12901;
	Tue, 17 Aug 1999 09:41:55 -0700 (PDT)
	(envelope-from jdp@polstra.com)
From: John Polstra <jdp@polstra.com>
Received: (from jdp@localhost)
	by vashon.polstra.com (8.9.3/8.9.1) id JAA02146;
	Tue, 17 Aug 1999 09:41:54 -0700 (PDT)
	(envelope-from jdp@polstra.com)
Date: Tue, 17 Aug 1999 09:41:54 -0700 (PDT)
Message-Id: <199908171641.JAA02146@vashon.polstra.com>
To: geoffr@is.co.za
Subject: Re: Dropping connections without RST
In-Reply-To: <E3453EC6C52ED3118E7E0090275CD47CFFAFA9@isjhbex.is.co.za>
Organization: Polstra & Co., Seattle, WA
Cc: current@freebsd.org
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In article <E3453EC6C52ED3118E7E0090275CD47CFFAFA9@isjhbex.is.co.za>,
Geoff Rehmet  <geoffr@is.co.za> wrote:
> > 
> > Plus, packets with RST in them are used for other purposes besides
> > rejecting new incoming connections..
> 
> True, my implementation is specific that I only omit generating
> a RST when the icoming segment is a SYN.  All other instances
> where you would generate a RST are left alone, and carry on
> behaving as before - otherwise you might break TCP behaviour.

I like the idea.  However, something a _little_ more sophisticated
would be nice.  The policy you describe above wouldn't work against
stealth probes.  From the nmap man page:

       -sF -sX -sN
              Stealth FIN, Xmas Tree, or Null scan  modes:  There
              are  times when even SYN scanning isn't clandestine
              enough. Some firewalls and packet filters watch for
              SYNs to restricted ports, and programs like Synlog-
              ger and Courtney  are  available  to  detect  these
              scans. These advanced scans, on the other hand, may
              be able to pass through unmolested.

              The idea is that closed ports are required to reply
              to  your probe packet with an RST, while open ports
              must ignore the packets in question (see RFC 794 pp
              64).   The  FIN  scan  uses  a  bare (surprise) FIN
              packet as the probe, while the Xmas tree scan turns
              on  the  FIN,  URG,  and PUSH flags.  The Null scan
              turns off all flags.

John
-- 
  John Polstra                                               jdp@polstra.com
  John D. Polstra & Co., Inc.                        Seattle, Washington USA
  "No matter how cynical I get, I just can't keep up."        -- Nora Ephron


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message