Re: Sloppy states

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Henning Brauer <lists-openbsd@...>

To: <misc@...>

Date: Tuesday, June 10, 2008 - 10:42 pm

* STeve Andre'  [2008-06-11 04:34]:

quoted text> On Tuesday 10 June 2008 20:40:02 you wrote:

> > * Reyk Floeter  [2008-06-11 01:13]:

> > > CVSROOT:	/cvs

> > > Module name:	src

> > > Changes by:	reyk@cvs.openbsd.org	2008/06/10 17:12:36

> > >

> > > Modified files:

> > > 	usr.sbin/relayd: pfe_filter.c relayd.conf.5

> > >

> > > Log message:

> > > set the inactivity timeout of redirections to a shorter timeout of 600

> > > seconds by default (pf's default is 86400s), they can be cranked with

> > > the "session timeout" directive and it is consistent to relay session

> > > timeouts. also remove the hack to modify the closing timeout because

> > > pf's sloppy state handling is taking care about half connection

> > > closing now.

> >

> > can you guess how much reyk was prodding me for the sloppy states? :)

>

> I'm looking around and don't quite get sloppy states.  Looking at the code

> isn't quite helping.  Anything else I can read?
like, pf.conf(5)?
     sloppy

           Uses a sloppy TCP connection tracker that does not check sequence

           numbers at all, which makes insertion and ICMP teardown attacks way

           easier.  This is intended to be used in situations where one does

           not see all packets of a connection, e.g. in asymmetric routing

           situations.  Cannot be used with modulate or synproxy state.
comes down to "do not use them".

there are some very special circumstances where they make things

possible that didn't work before, like relayd setups with that direct

server return stuff (where you should run another pf box with real

state tracking in front of the relayd box) or cases where you only see

half of the connection, and there one stillhas to be very careful.
anyone using sloppy statekeeping on regular firewalls deserves more

than a spanking.
--

Henning Brauer, hb@bsws.de, henning@openbsd.org

BS Web Services, http://bsws.de

Full-Service ISP - Secure Hosting, Mail and DNS Services

Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Sloppy states, STeve Andre', (Tue Jun 10, 9:06 pm)

Re: Sloppy states, Henning Brauer, (Tue Jun 10, 10:42 pm)

Re: Sloppy states, STeve Andre', (Tue Jun 10, 11:34 pm)

Re: Sloppy states, Sam Fourman Jr., (Tue Jun 10, 10:38 pm)

Re: Sloppy states, Henning Brauer, (Tue Jun 10, 10:43 pm)

Navigation

Popular discussions


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
James Bottomley	Re: Announce: Linux-next (Or Andrew's dream :-))
Andrew Morton	echo mem > /sys/power/state
Peter Zijlstra	[PATCH 00/23] per device dirty throttling -v8
git:

linux-netdev:
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	[GIT]: Networking
Gerrit Renker	[PATCH 18/37] dccp: Support for Mandatory options
Michael S. Tsirkin	Re: [RFC PATCH v2 03/19] vbus: add connection-client helper infrastructure
linux-raid:
NeilBrown	[PATCH 00/18] Assorted md patches headed for 2.6.30
Justin Piszcz	General question (scheduler) with SSDs?
Neil Brown	Re: Any hope for a 27 disk RAID6+1HS array with four disks reporting "No md superb...
Ryan Wagoner	High IO Wait with RAID 1

Colocation donated by: