Re: help: raw_ip socket and system implication

From: Dug Song (dugsong@monkey.org)
Date: 11/20/01


Date: Tue, 20 Nov 2001 12:29:14 -0500
From: Dug Song <dugsong@monkey.org>
To: "qgiorgi@respublica.fr" <qgiorgi@respublica.fr>
Subject: Re: help: raw_ip socket and system implication
Message-ID: <20011120122914.G18676@naughty.monkey.org>

On Tue, Nov 20, 2001 at 05:36:23PM +0100, qgiorgi@respublica.fr wrote:

> so i have
> -> SYN
> <- SYN/ACK
> -> RST ( system part ) :(
> -> ACK ( my prog )
>
> Does anybody have a mean to prevent the system to send this RST ?

use libdnet's fw interface to block the incoming SYN/ACK before you
even send your SYN, if your system supports firewalling (via pf, ipf,
ipfw, or ipchains):

        struct fw_rule rule;
        fw_t *fw;

        fw = fw_open();

        memset(&rule, 0, sizeof(rule));
        rule.op = FW_OP_BLOCK; /* block */
        rule.direction = FW_DIR_IN; /* incoming */
        rule.proto = IP_PROTO_TCP; /* TCP */
        rule.sport[1] = TCP_PORT_MAX; /* any sport */
        rule.dport[0] = rule.dport[1] = 666; /* to dport 666 */

        fw_add(fw, &rule);

        /* Send SYN from port 666 */
        ...

        fw_delete(fw, &rule);
        fw_close(fw);

see http://libdnet.sourceforge.net/ for details...

-d.

---
http://www.monkey.org/~dugsong/



Relevant Pages

  • Re: Improved SYN Cookies: Looking for testers
    ... socket (and sent FIN) while the client side is still trying to send data. ... Since there isn't a matching SYN cache entry it falls back to check ...
    (freebsd-current)
  • Ipchains and smtp - blocked
    ... I have a linux email server with postfix at our work. ... ipchains firewall on it but ... ipchains -P input DENY ... I basically notice in the log 'SYN' and that our eth0 is an unpriv to ...
    (Security-Basics)