[ECOS] Re: SYN problem with new TCP/IP stack
Andrew Lunn
andrew@lunn.ch
Sun Feb 12 10:50:00 GMT 2006
> Whaddayathink?
Hi Grant
For things like this i generally go back to the FreeBSD sources and
study them.
I don't see anything in the latest code which indicates that this
"problem" has been fixed. Im actually woundering if this is
deliberate.
It looks like some firewalls will block SYN packets to established
connections:
http://www.checkpoint.com/appint/appint_transport_layer.html
It seems to me the ACK reply is a bad idea. It provides an attacker
with the sequence number and so allows it to hijack the connection.
Having said that, it looks like Linux 2.6.15 will send an ACK.
So, well, err. I think you should take this up with the FreeBSD
people. Find out if they think this is a bug or a security feature.
Andrew
--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
More information about the Ecos-discuss
mailing list