kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression]
Eygene Ryabinkin
rea at freebsd.org
Sat May 31 13:57:44 UTC 2014
Fri, May 30, 2014 at 10:58:14AM -0700, hiren panchasara wrote:
> > clearing FIN bit for SYN packets was
> > the standard behaviour of pf since approximately at least 10 years,
> > http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/pf_norm.c?view=markup&pathrev=126258#l1242
>
> I am curious, what's the rationale for this behavior? Why does PF
> clear the FIN bit for such a packet being a firewall?
My understanding is that it is done to conceal specific reaction of
the host's TCP stack that pf's "scrub" rule protects from the outer
world scanning.
--
Eygene Ryabinkin ,,,^..^,,,
[ Life's unfair - but root password helps! | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140531/7e93c22f/attachment.sig>
More information about the freebsd-net
mailing list