Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h

2000-12-18 Thread Kris Kennaway
On Sun, Dec 17, 2000 at 04:12:19PM -0500, Robert Watson wrote: > On Sun, 17 Dec 2000, Jesper Skriver wrote: > > > - ip source and destination addresses > > - tcp source and destination ports > > - tcp sequence number > > > > Can we make it zap the sessions regardless of the current state ? > >

Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h

2000-12-17 Thread Jesper Skriver
On Sun, Dec 17, 2000 at 08:04:25PM +0100, Jesper Skriver wrote: > The only thing I can see, we can do to improve the security of this, > would be to match agaist the TCP sequence number too, I have a patch for > this too, but I need to test it, will be back. Attached is a diff which implement th

Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h

2000-12-17 Thread Jacques A. Vidrine
On Sun, Dec 17, 2000 at 10:08:52PM +0100, Jesper Skriver wrote: > >(2) These same messages are not handled for connections not in > >SYN-SENT: they ought to be > > Well, yes, but the real problem is when sessions are setup, the reason I > only configured it to affect sessions in SYN-S

Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h

2000-12-17 Thread Robert Watson
On Sun, 17 Dec 2000, Jesper Skriver wrote: > - ip source and destination addresses > - tcp source and destination ports > - tcp sequence number > > Can we make it zap the sessions regardless of the current state ? > > And perhaps enable it by default ? I admit that I had assumed, from the comm

Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h

2000-12-17 Thread Jesper Skriver
On Sun, Dec 17, 2000 at 10:26:13AM -0600, Jacques A. Vidrine wrote: > [Moved to freebsd-net] > > On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote: > > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > > In message <[EMAIL PROTECTED]>, Kris Kennaway writes: >

Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h

2000-12-17 Thread Kris Kennaway
On Sun, Dec 17, 2000 at 10:26:13AM -0600, Jacques A. Vidrine wrote: > > ICMP packets include the headers of the packets that `triggered' them, > > so we do have a sequence number. > > > > I think the correct thing to do is to pull the source address, > > destination address, source port, destina

Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h

2000-12-17 Thread Jacques A. Vidrine
[Moved to freebsd-net] On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote: > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > In message <[EMAIL PROTECTED]>, Kris Kennaway writes: > > >This sounds like a security hole since ICMP messages don't have a TCP > >