Re: [Full-Disclosure] IETF Draft - Fix for TCP vulnerability (fw

On Fri, 23 Apr 2004, jayanth wrote:

> > I think Darren's suggestion would be a reasonable compromise; use the
> > strict check in the ESTABLISHED state, and the permissive check otherwise.
> > Established connections are what would be attacked, so we need the
> > security there, but the closing states are where oddities seem to pop up,
> > so we can use the permissive check there.
> >
> > If this is acceptable, I'd like to get it committed this weekend so that
> > we can still get it into 4.10.
> >
>
> sure, that sounds reasonable. The sysctl should be good for yahoo.
>
> thanks,
> jayanth

There wouldn't be a sysctl, as you wouldn't need one, if I understand
things correctly.  Since the "bad" RST is in response to the FreeBSD box
sending a FIN, the FreeBSD box would have already transitioned to
FIN_WAIT_1, and would accept the "bad" RST, as it would only be subject to
the check we're using at present.

Mike "Silby" Silbersack
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"