Home » Mailing list archives » openbsd-misc » 2008 » June » 11

Re: Sloppy states

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Henning Brauer
Subject: Re: Sloppy states
Date: Tuesday, June 10, 2008 - 7:42 pm

* STeve Andre' <andres@msu.edu> [2008-06-11 04:34]:

like, pf.conf(5)?

     sloppy
           Uses a sloppy TCP connection tracker that does not check sequence
           numbers at all, which makes insertion and ICMP teardown attacks way
           easier.  This is intended to be used in situations where one does
           not see all packets of a connection, e.g. in asymmetric routing
           situations.  Cannot be used with modulate or synproxy state.

comes down to "do not use them".
there are some very special circumstances where they make things 
possible that didn't work before, like relayd setups with that direct 
server return stuff (where you should run another pf box with real 
state tracking in front of the relayd box) or cases where you only see 
half of the connection, and there one stillhas to be very careful.

anyone using sloppy statekeeping on regular firewalls deserves more 
than a spanking.

-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Sloppy states, STeve Andre', (Tue Jun 10, 6:06 pm)
Re: Sloppy states, Sam Fourman Jr., (Tue Jun 10, 7:38 pm)
Re: Sloppy states, Henning Brauer, (Tue Jun 10, 7:42 pm)
Re: Sloppy states, Henning Brauer, (Tue Jun 10, 7:43 pm)
Re: Sloppy states, STeve Andre', (Tue Jun 10, 8:34 pm)