* STeve Andre' <[EMAIL PROTECTED]> [2008-06-11 04:34]:
> On Tuesday 10 June 2008 20:40:02 you wrote:
> > * Reyk Floeter <[EMAIL PROTECTED]> [2008-06-11 01:13]:
> > > CVSROOT: /cvs
> > > Module name: src
> > > Changes by: [EMAIL PROTECTED] 2008/06/10 17:12:36
> > >
> > > Modified files:
> > > usr.sbin/relayd: pfe_filter.c relayd.conf.5
> > >
> > > Log message:
> > > set the inactivity timeout of redirections to a shorter timeout of 600
> > > seconds by default (pf's default is 86400s), they can be cranked with
> > > the "session timeout" directive and it is consistent to relay session
> > > timeouts. also remove the hack to modify the closing timeout because
> > > pf's sloppy state handling is taking care about half connection
> > > closing now.
> >
> > can you guess how much reyk was prodding me for the sloppy states? :)
>
> I'm looking around and don't quite get sloppy states. Looking at the code
> isn't quite helping. Anything else I can read?
like, pf.conf(5)?
sloppy
Uses a sloppy TCP connection tracker that does not check sequence
numbers at all, which makes insertion and ICMP teardown attacks way
easier. This is intended to be used in situations where one does
not see all packets of a connection, e.g. in asymmetric routing
situations. Cannot be used with modulate or synproxy state.
comes down to "do not use them".
there are some very special circumstances where they make things
possible that didn't work before, like relayd setups with that direct
server return stuff (where you should run another pf box with real
state tracking in front of the relayd box) or cases where you only see
half of the connection, and there one stillhas to be very careful.
anyone using sloppy statekeeping on regular firewalls deserves more
than a spanking.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
