Date: Mon, 18 Dec 2000 13:20:51 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Jesper Skriver <jesper@skriver.dk> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Poul-Henning Kamp <phk@critter.freebsd.dk>, security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <Pine.BSF.4.21.0012181310290.63148-100000@achilles.silby.com> In-Reply-To: <20001218182600.C1856@skriver.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Dec 2000, Jesper Skriver wrote: > - Check for SYN-SENT state removed I was thinking about this point, and I think there are two compelling reasons to keep it enabled only for the SYN_SENT state. First, the cases in which connections are in progress to a port which is in the process of being blocked for the first time are rare. The slight chance that honoring such messages will allow connections to be falsely reset outweighs the small gain of killing connections over paths that have suddenly been firewalled. Second, if I understand correctly, this code may be able to kill IPSEC connections too. (?) If so, it would allow a simple packet sniffer and spoofer to defeat all the fancy crypto in use. (If someone's more familiar with IPSEC and this patch could clarify, it would be appreciated.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012181310290.63148-100000>