Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Nov 2008 23:51:54 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        =?ISO-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net>
Cc:        freebsd-security@freebsd.org, Pieter de Boer <pieter@thedarkside.nl>
Subject:   Re: Dropping syn+fin replies, but not really?
Message-ID:  <20081125232938.C43853@sola.nimnet.asn.au>
In-Reply-To: <0A92AEEC-5AF2-4DB7-9ACD-855731E168C6@anduin.net>
References:  <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net> <49299876.4020702@thelostparadise.com> <876D0973-A384-4567-8E61-771E96E8A65A@anduin.net> <492B26B9.505@thedarkside.nl> <0A92AEEC-5AF2-4DB7-9ACD-855731E168C6@anduin.net>

next in thread | previous in thread | raw e-mail | index | archive | help
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1843294442-1227617514=:43853
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT

On Mon, 24 Nov 2008, Eirik Øverby wrote:
 > On Nov 24, 2008, at 23:12, Pieter de Boer wrote:
[..]
 > > > Results for port 8585:
 > > > IP (tos 0x0, ttl  59, id 44156, offset 0, flags [DF], proto: TCP (6),
 > > > length: 64) alge.anart.no.1839 > 213.225.74.230.8585: S, cksum 0xf765
 > > > (correct), 1324215952:1324215952(0) win 16384 <mss
 > > > 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 4070158112 0>
 > > > IP (tos 0x0, ttl  63, id 34488, offset 0, flags [DF], proto: TCP (6),
 > > > length: 40) 213.225.74.230.8585 > alge.anart.no.1839: R, cksum 0x52ef
 > > > (correct), 0:0(0) ack 1324215953 win 0
 > > > I can't tell what's going on here, except I wouldn't have expected a
 > > > reply at all to the second one at least, and maybe not even the first.
 > > > However, I don't have enough experience to tell if nmap is doing the
 > > > "right thing" here at all.
[..]
 > > The strictest firewall configuration would be to have everything filtered
 > > except the ports you actually use. Those ports are either NATted to the
 > > back-end system or handled by the firewall itself (in case you want that
 > > functionality). From a security perspective, simply dropping incoming
 > > traffic is better than sending back RST's. In pf this is the default.
 > 
 > That is correct, however in this case I do 1:1 and no pf on the target host
 > (it is in a DMZ). I ran the scan on this system out of curiosity only,
 > however as stated above this problem is far from unique to this particular
 > system.
 > 
 > Thanks for your input, i'll keep trying to reproduce this..

Perhaps off to the side, but I wonder if net.inet.tcp.blackhole may be 
relevant?  Here tcpdump was showing RSTs back to attempted connections 
to unused ports, despite these being dropped on ingress by the firewall, 
which I thought was unnecessarily informative :)

# net.inet.tcp.blackhole: Do not send RST when dropping refused connections
net.inet.tcp.blackhole=1

fixed that here.  Caveats: that's on a 5.5-STABLE box using ipfw to drop 
such connections.  I'd been surprised to see those RSTs too ..

cheers, Ian
--0-1843294442-1227617514=:43853--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081125232938.C43853>