On Sat, Jan 24, 2004 at 06:42:57PM +0100, Per-Olov Sj�holm wrote: > "The remote host does not discard TCP SYN packet which have the FIN flag > set. Depending on the kind of firewall you are using, an attacker may use > this flaw to bypass its rules." > > I do however use: > block log all > scrub in on $INTERNET_INT all fragment reassemble > And on all incoming TCP "permit" rules I use "S/SA" as the flag combination.
S/SA means 'SYN must be set, ACK must not be set', whether FIN is set or not doesn't matter. If you don't want SYN+FIN to match and create state, use 'S/SAF'. There is nothing inherently bad about SYN+FIN, though, it just doesn't make much sense. If a scrub rule matches, normalization will clear the FIN bit in this case. > * What does "scrub" actually do? Can't find much in the pf.conf man page. There are several normalizations (for instance, SYN+RST is dropped, SYN+FIN gets FIN cleared, etc.), I guess the man page just can't list them all. You can find a detailed description in the following paper http://www.icir.org/vern/papers/norm-usenix-sec-01-html/index.html and of course in the source itself http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c In short, clearly invalid packets are dropped. Packets with odd attributes (where the effects are not clearly dictated by standards) are modified so the ambiguity is resolved (so the reaction of the receipient is predictable). > * Do I have to manually block all illegal flag combinations as I earlier > used to do when I used ipfilter? No, flags S/SA is usually enough, unless you want to force specific reactions to specific combinations (like to affect scanners or OS detection in different ways). If a packets passes normalization and matches flags S/SA, there's no reason to drop it, in general. Daniel
