UDP catchall
Jeremie Le Hen
jeremie at le-hen.org
Wed Oct 31 16:32:39 PDT 2007
Matus,
On Wed, Oct 31, 2007 at 02:21:04AM +0100, Matus Harvan wrote:
> On Tue, Oct 30, 2007 at 09:04:11PM +0100, Jeremie Le Hen wrote:
> > I can think of a possible implementation of mtund(8) without kernel
> > patching. The next pf(4) import from OpenBSD will likely allow to log
> > to some particular pflog(4) interface (instead of the default pflog0).
> >
> > It will then be possible to create a couple of rules matching one or
> > more ranges of ports and logging to, say, pflog1. Reading on the
> > latter, mtund(8) will immediately open a socket bound to the
> > corresponding port. This is a kind of port knocking. Thanks to TCP
> > retransmission algorithm or mtunc(1)'s cleverness in case of UDP socket,
> > the second packet should hit mtund(8).
> >
> > One downside is that it requires a bunch of configuration in pf.conf(5),
> > so it may not be as straightforward to set up as one may have expected.
> >
> > I don't know TCP internals, it may affect TCP slow start or have some
> > other minor drawbacks. But hey, we're talking about bypassing firewall
> > :-)...
>
> If an RST packet is generated in response to the first TCP SYN packet,
> then the firewall, which we're trying to pass, might decide that the
> port in question is closed and delete/modify the state for the TCP
> connection. If the RST packet hits the sender of the SYN packet then
> there might be no retransmission as the sender would think the TCP
> port is closed.
Yes, sorry. When I was writing this email I had in mind we need to use
the blackhole functionnality but I forgot to mention it.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list