From owner-freebsd-net@FreeBSD.ORG Tue Oct 30 20:34:52 2007 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85AA516A419; Tue, 30 Oct 2007 20:34:52 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7171913C4AA; Tue, 30 Oct 2007 20:34:50 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by postfix1-g20.free.fr (Postfix) with ESMTP id 287071D16F2A; Tue, 30 Oct 2007 21:04:56 +0100 (CET) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 72B5A3F61C1; Tue, 30 Oct 2007 21:04:54 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id C3C243F61CD; Tue, 30 Oct 2007 21:04:53 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 190B59B497; Tue, 30 Oct 2007 20:04:11 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 05ABA405B; Tue, 30 Oct 2007 21:04:11 +0100 (CET) Date: Tue, 30 Oct 2007 21:04:11 +0100 From: Jeremie Le Hen To: "Bruce M. Simpson" Message-ID: <20071030200410.GJ78526@obiwan.tataz.chchile.org> References: <20070909201837.GA18107@inf.ethz.ch> <20071026154057.GG1049@styx.ethz.ch> <4722AEB3.1010208@FreeBSD.org> <20071029150424.GA68594@lor.one-eyed-alien.net> <4726395B.8080905@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4726395B.8080905@FreeBSD.org> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-net@FreeBSD.org, Brooks Davis , Matus Harvan , Max Laier Subject: Re: UDP catchall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Oct 2007 20:34:52 -0000 On Mon, Oct 29, 2007 at 07:49:47PM +0000, Bruce M. Simpson wrote: > Brooks Davis wrote: > > While I think this idea has some merit, I think we specifically want > > the current wildcard ability to allow for a system that requires > > minimal configuration. The problem with a range is that it doesn't > > allow disjoint sets and it requires that if you really do want all the > > ports you need to produce a list of currently allocated ports to avoid > > allocating. A more (over)engineered solution holds some attraction, but > > I'm not yet convinced the fact that it could exist precludes the current > > implementation. > > Actually I concur with you on this point, based solely on the disjoint sets > point. > > Another vector of attack would be to put the relay functionality into PF, > which can do the packet matching. However this of course suffers from the > problem that if you just want a plain old UDP socket for mtund, you won't > get that unless you go to the inpcb layer anyway. > > But who says mtund needs to use sockets for its traffic relay? There is > definite appeal in *not* doing it in the socket layer at all -- an > adaptation of pf's log socket may suffice... I can think of a possible implementation of mtund(8) without kernel patching. The next pf(4) import from OpenBSD will likely allow to log to some particular pflog(4) interface (instead of the default pflog0). It will then be possible to create a couple of rules matching one or more ranges of ports and logging to, say, pflog1. Reading on the latter, mtund(8) will immediately open a socket bound to the corresponding port. This is a kind of port knocking. Thanks to TCP retransmission algorithm or mtunc(1)'s cleverness in case of UDP socket, the second packet should hit mtund(8). One downside is that it requires a bunch of configuration in pf.conf(5), so it may not be as straightforward to set up as one may have expected. I don't know TCP internals, it may affect TCP slow start or have some other minor drawbacks. But hey, we're talking about bypassing firewall :-)... My 2 cents. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >