From nobody@FreeBSD.org  Thu May 22 11:46:41 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 22732428
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 22 May 2014 11:46:41 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 1019928F3
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 22 May 2014 11:46:41 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s4MBke3W066077
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 22 May 2014 11:46:40 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s4MBkeLx066076;
	Thu, 22 May 2014 11:46:40 GMT
	(envelope-from nobody)
Message-Id: <201405221146.s4MBkeLx066076@cgiserv.freebsd.org>
Date: Thu, 22 May 2014 11:46:40 GMT
From: Mark Felder <feld@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         190102
>Category:       kern
>Synopsis:       [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression]
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 22 11:50:01 UTC 2014
>Closed-Date:    
>Last-Modified:  Thu May 29 12:30:00 UTC 2014
>Originator:     Mark Felder
>Release:        10.0-RELEASE
>Organization:
SupraNet Communications Inc.
>Environment:
FreeBSD wil.supranet.net 10.0-RELEASE-p3 FreeBSD 10.0-RELEASE-p3 #0: Tue May 13 18:31:10 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+


>How-To-Repeat:
Run this scan on identically configured FreeBSD 9 and FreeBSD 10 servers


nmap -v -v --scanflags SYNFIN -P0 <target>


FreeBSD 9 servers will report "filtered" which is correct. FreeBSD 10
servers will report "open", which means it is vulnerable to this attack
to bypass the firewall.

The firewall in use on these machines is pf. It is possible to block
SYN/FIN on pf as well, but our standard deployment is the sysctl method.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu May 22 21:00:27 UTC 2014 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=190102 

From: Eygene Ryabinkin <rea@freebsd.org>
To: FreeBSD GNATS followup <bug-followup@freebsd.org>,
	freebsd-net@freebsd.org
Cc:  
Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on
 FreeBSD 10+ [regression]
Date: Thu, 29 May 2014 09:46:45 +0400

 --LXx4g46d83wF7unj
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 I assume that your pf(4) is enabled during these tests, you have
 "scrub" statements in the ruleset and removing "scrub" will restore
 the expected behaviour on 10.x?
 
 I am slightly amused that on 9.x with "scrub" you're getting the
 expected behaviour, because clearing FIN bit for SYN packets was
 the standard behaviour of pf since approximately at least 10 years,
   http://svnweb.freebsd.org/base/vendor-sys/pf/dist/sys/contrib/pf/net/pf_n=
 orm.c?view=3Dmarkup&pathrev=3D126258#l1242
 
 Can you show relevant parts of the pf.conf from both machines
 and output from 'pfctl -s rules' if you are sure that both machines
 are configured identically pf-wise?
 
 Thanks!
 --=20
 Eygene Ryabinkin                                        ,,,^..^,,,
 [ Life's unfair - but root password helps!           | codelabs.ru ]
 [ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
 
 --LXx4g46d83wF7unj
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (FreeBSD)
 
 iL4EABEKAGYFAlOGycVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
 bnBncC5maWZ0aGhvcnNlbWFuLm5ldDgyRkUwNkJDRDQ5N0MwREU0OUVDNEZGMDE2
 QUY5RUFFODE1MkVDRkIACgkQFq+eroFS7Pv7kQD+JjKVNIOqBBGv12DsILxmIr+U
 5A76OhcjmiaO5ricQ2oA/jJy8E/D2nXSdaaAqYsNJaelqQ72Lx927Sxyj50hLDpx
 =2WMS
 -----END PGP SIGNATURE-----
 
 --LXx4g46d83wF7unj--

From: hiren panchasara <hiren.panchasara@gmail.com>
To: Eygene Ryabinkin <rea@freebsd.org>
Cc: FreeBSD GNATS followup <bug-followup@freebsd.org>, 
	"freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on
 FreeBSD 10+ [regression]
Date: Wed, 28 May 2014 23:52:51 -0700

 On Wed, May 28, 2014 at 10:46 PM, Eygene Ryabinkin <rea@freebsd.org> wrote:
 > I assume that your pf(4) is enabled during these tests, you have
 > "scrub" statements in the ruleset and removing "scrub" will restore
 > the expected behaviour on 10.x?
 
 I can confirm that I see exactly what you are saying on a stable/10 box.
 
 cheers,
 Hiren

From: Eygene Ryabinkin <rea@freebsd.org>
To: hiren panchasara <hiren.panchasara@gmail.com>
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
	FreeBSD GNATS followup <bug-followup@freebsd.org>
Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on
 FreeBSD 10+ [regression]
Date: Thu, 29 May 2014 12:00:05 +0400

 --keyOwv2R5UpfANsk
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Wed, May 28, 2014 at 11:52:51PM -0700, hiren panchasara wrote:
 > On Wed, May 28, 2014 at 10:46 PM, Eygene Ryabinkin <rea@freebsd.org> wrot=
 e:
 > > I assume that your pf(4) is enabled during these tests, you have
 > > "scrub" statements in the ruleset and removing "scrub" will restore
 > > the expected behaviour on 10.x?
 >=20
 > I can confirm that I see exactly what you are saying on a stable/10 box.
 
 I had found 2 flavors of 9.x boxen: 9.1/9.2 that behave like 10.x and
 some 9.0 that are dropping SYN|FIN even in the presence of "scrub".
 The trouble is that the latter boxes are in full production, so I need
 some time to try to reproduce that on the text box.
 --=20
 Eygene Ryabinkin                                        ,,,^..^,,,
 [ Life's unfair - but root password helps!           | codelabs.ru ]
 [ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
 
 --keyOwv2R5UpfANsk
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (FreeBSD)
 
 iL4EABEKAGYFAlOG6QVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
 bnBncC5maWZ0aGhvcnNlbWFuLm5ldDgyRkUwNkJDRDQ5N0MwREU0OUVDNEZGMDE2
 QUY5RUFFODE1MkVDRkIACgkQFq+eroFS7PtX4gEAlfR1J3rriTRJrZSkZMvZ6wRP
 jVK+1i9Qvupkk+wiooIA+wTk7wyrdGMlW6j/+7MmLcJN8buTeOAsUG18GJ9ef/AH
 =xpit
 -----END PGP SIGNATURE-----
 
 --keyOwv2R5UpfANsk--

From: Mark Felder <feld@freebsd.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on
 FreeBSD 10  [regression]
Date: Thu, 29 May 2014 07:25:31 -0500

 The test box in particular is using pf and does not have any scrub 
 statements in pf.conf. The dropping of SYN+FIN worked for us in 9.1 and 
 older just by setting net.inet.tcp.drop_synfin=1. We skipped 9.2 for the 
 most part, so I don't have any experience with its behavior in 
 production.
>Unformatted:
