From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:58:59 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id DDC8B16A4CF; Thu, 16 Sep 2004 03:58:59 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 11664 invoked by uid 1005); 22 Dec 2003 15:03:56 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 11661 invoked from network); 22 Dec 2003 15:03:56 -0000 Received: from moutng.kundenserver.de (212.227.126.177) by p50839e79.dip.t-dialin.net with SMTP; 22 Dec 2003 15:03:56 -0000 Received: from [212.227.126.212] (helo=mxng16.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AYRWw-0004mY-00 for max@vampire.homelinux.org; Mon, 22 Dec 2003 15:59:34 +0100 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng16.kundenserver.de with esmtp (Exim 3.35 #1) id 1AYRWv-0004QQ-00 for max@love2party.net; Mon, 22 Dec 2003 15:59:33 +0100 Received: from turing (localhost [127.0.0.1])ESMTP id 4183C394AF2 for ; Mon, 22 Dec 2003 09:59:28 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Mon, 22 Dec 2003 09:59:17 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from TEMP.gswa.tld (unknown [207.88.70.2]) ESMTP id E4979394A9E for ; Mon, 22 Dec 2003 09:59:14 -0500 (EST) Received: from awright (awright.gswa.tld [10.12.4.65]) by TEMP.gswa.tld (8.12.9p1/8.12.9) with SMTP id hBMEoHQm010805 for ; Mon, 22 Dec 2003 09:50:18 -0500 (EST) (envelope-from wright.546@osu.edu) Message-ID: <072301c3c89c$0c3d1950$41040c0a@gswa.tld> From: "A. Wright" To: References: <003301c3c10a$e94f7c00$aa66df50@FAITH> <20031213004650.GS24011@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-archive-position: 245 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: wright.546@osu.edu Precedence: normal X-list: pf4freebsd Content-Transfer-Encoding: quoted-printable X-Provags-Forward: max@love2party.net -> max@vampire.homelinux.org X-UID: 363 X-Length: 5539 X-Mailman-Approved-At: Thu, 16 Sep 2004 04:00:27 +0000 Subject: [pf4freebsd] Re: About using reassemble tcp/modulate state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:59:00 -0000 X-Original-Date: Mon, 22 Dec 2003 09:58:23 -0500 X-List-Received-Date: Thu, 16 Sep 2004 03:59:00 -0000 Hello All, The email below actually came from another pf mailing list, pf@benzedrine.cx. I thought I should ask my question here first since I'= m using the FreeBSD port of pf. If it turns out not to be some difference with the port, I'll try the other list. I'm running FreeBSD 5.1-Release-p10 with pf 2.00 installed from the ports= . In the email below, Daniel Hartmeier says that 'reassemble tcp' should cl= ean TCP packets so they don't disclose your machine's uptime, as well as prev= ent the counting of boxes behind a NAT. In my pf.conf I have the line "scrub all reassemble tcp fragment reassemble". However, when I telnet to anoth= er box running p0f v2 (http://lcamtuf.coredump.cx/p0f.shtml) it correctly determines my uptime. (It also correctly determines my OS as well, which= I thought the scrub option would prevent, but one thing at a time). Can anyone offer me insight on why p0f can correctly determine my uptime when the 'reassemble tcp' option is supposed to prevent it? Thanks for your time! Aaron ----- Original Message -----=20 From: "Daniel Hartmeier" To: "Toni Riekkinen" Cc: Sent: Friday, December 12, 2003 7:46 PM Subject: Re: About using reassemble tcp/modulate state > On Sat, Dec 13, 2003 at 01:51:49AM +0200, Toni Riekkinen wrote: > > > What is the difference between using "scrub all reassemble tcp" and using > > "modulate state" in incoming traffic rules, i.e for webserver in DMZ: > > 'modulate state' applies to sequence numbers (th_seq, th_ack), which ar= e > a very basic part of TCP. When a connection is established each peer > should choose a random initial sequence number, which then gets > increased with the amount of data sent. It's crucial for security that > these initial sequence numbers are unpredictable for outside parties, > otherwise attackers can inject data into the connection or stall or > reset it. Some OS' TCP/IP stacks are known to generate weak (non-random= , > predictable) initial sequence numbers, and modulate state will > compensate for them by adding/subtracting a random modulator value. > > 'reassemble tcp' enables multiple normalization features for TCP > packets, one of them is 'timeout modulation'. It's a similar scheme, bu= t > applied to timestamp TCP options. Such timestamps need not be random fo= r > security reasons, but non-random values can disclose your uptime or > number of hosts (behind a NAT gateway), so you may wish to modulate the= m > to not disclose that information. For instance, netcraft.com shows > uptimes for certain hosts because they don't use random timestamps, and > some ISPs prohibit use of multiple (NATed) hosts, analyzing timestamps > to detect violations. > > So, these are two different and independant things. You can enable > either of them, both or none. All of this is detailed in pf.conf(5), > BTW. > > Daniel