Re: unclean match
On Wed, 21 Aug 2002, Bernd Eckenfels wrote:
> On Wed, Aug 21, 2002 at 11:19:55AM +1000, Daniel Pittman wrote:
>> Ack. Something to watch out for, then: the unclean match used to
>> consider any ECN packet "unclean". That snippet looks like it still
>> may.
>
> it looks like, but the definition is ok:
>
> TCP_RESERVED_BITS = __constant_htonl(0x0F000000), <- 4 not 6 bits
>
> so at least 2.4.7 is save. The patch is from last year in august. But
> you are right, those checks are the reason why the module is not
> turned on by default, the meaning of the reserved bits may change :)
Oh, good. That's nice to know. I glanced at my kernel source but missed
that change, so it's nice to know that I was wrong. :)
> Of course this is also true for filter rules and therefore no big deal
> to worry about. Perhaps it would be good tu turn off some checks on
> runtime, but you can always modify the source, it is the most
> performant filter since those checks will be in the IP receiving
> hotpath.
*nod* Personally, I don't bother with this sort of filtering at all,
even though I have Windows hosts that can see directly forwarded packets
from the Internet.[1]
If, and only if, some attack that actually matters becomes available
then I would add filtering for the invalid packets specifically.
Of course, this is mostly because I only allow packets from established
connections though, so the majority of the scans, etc, get dropped by
the firewall anyhow.
Daniel
Footnotes:
[1] For a small subset of things, not a wide open host. :)
--
An independent reality in the ordinary physical sense can neither be
ascribed to the phenomenon nor to the agencies of observation.
-- Niels Bohr
Reply to: