On 2006-02-12, Andrew Lunn <[EMAIL PROTECTED]> wrote: > For things like this i generally go back to the FreeBSD > sources and study them.
I was thinking about doing that -- but I hadn't gotten around to finding them yet. > I don't see anything in the latest code which indicates that > this "problem" has been fixed. Im actually woundering if this > is deliberate. If it is, it's violating the RFC. The RFC describes the exact "problem" I'm seeing (a host being rebooted and attempting to re-open an "already open" connection). The RFC specifies the solution. > It looks like some firewalls will block SYN packets to > established connections: > > http://www.checkpoint.com/appint/appint_transport_layer.html > > It seems to me the ACK reply is a bad idea. It provides an > attacker with the sequence number and so allows it to hijack > the connection. But if you don't do it, a host that's been rebooted can't re-establish a connection. I think security enahancements that violate the RFC and break existing systems ought to be socket options that are disabled by default. > Having said that, it looks like Linux 2.6.15 will send an ACK. > > So, well, err. I think you should take this up with the > FreeBSD people. Find out if they think this is a bug or a > security feature. Regardelss of whether they think it's a bug or not, I've got to fix it in eCos's TCP stack. My customers have systems that worked with the old TCP stack and don't work with the new one. -- Grant Edwards grante Yow! ... I want a COLOR at T.V. and a VIBRATING BED!!! visi.com -- Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
