Re: Is this possible SYN Proxy bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 18, 2019 at 2:59 PM Florian Westphal <fw@xxxxxxxxx> wrote:

> >
> > I am confused. So this statement from manual page is just a illusion?
> > --mss maximum segment size
> >               Maximum segment size announced to clients. This must
> > match the backend.
>
> ?
>
> Your question was about MSS sent to server.
>
> Flow is this:
> Client          Synproxy         Server
> -> Syn, mss X
>     <-Synack,mss M
> -> ACK
>                      -> Syn, mss Y
>
> M is what you need to configure via --mss switch.
>
> Because Synproxy keeps no state, it can only send
> to real server the MSS that was encoded in syncookie (in synack)
> packet.  Therefore, X == Y only if the Value from client matches
> exactly one for the four values of the mss table, in all other
> cases Y is the next lowest available one.  In your case thats 536.
>
> > I don't understand why these restriction exist. Why can't we set mss
> > value same as what client send to us?
>
> We only have 2 bits out of the 32Bit Sequence number for MSS. Increasing
> mss state table reduces security margin of the cookie.

My question about both way actually. If you check out my tests, M is
also not correct. Client sends mss 1260 and syn proxy responds 1260
too although I set mss 1460 in iptables.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux