1

I've been running a few TCP-traceroutes towards some target and noticed that larger SYN packets (say, >5B TCP payload) are dropped. But only in IPv4. In IPv6 those are still delivered.

I also ran UDP- and ICMP-based traceroutes of the same sizes from the same vantage points towards the same target, and they are not dropped (neither in IPv4, nor in IPv6).

Meaning, the connectivity issue I'm seeing seems to be related to TCP/IPv4, especially for larger packets.

Does anyone know firewalls that filter large SYN packets (preferrably for IPv4)? If so, why is this done? And why not just filter all SYN packets?

Improve this question

1 Answer 1

Reset to default
3

Sending payload in a SYN TCP segment isn't prohibited by RFC 9293 but practically that doesn't happen. Accordingly, stateful firewalls may drop/reject packets carrying such segments. I guess the difference with IPv6 is mostly due to relaxed inspection.

UDP and ICMP have no connection states, so sending a payload in a probing packet isn't obviously suspicious.

And why not just filter all SYN packets?

That would inhibit all TCP communication.

Improve this answer
4
  • 2
    "Practically that doesn't happen" should have stopped when Google Chrome began deploying TCP Fast Open a decade ago. (I distinctly remember my home router at the time complaining loudly in its logs about every HTTP connection being an "attack".) Commented Nov 4 at 7:56
  • @grawity TFO can only be used on subsequent TCP connects, not on the initial one. It also failed to catch on due to protocol ossification, the exact problem you're describing. Yet, TFO might be the reason that middleboxes hold a more relaxed view for IPv6. Commented Nov 4 at 10:15
  • Do any stateful firewalls care that it "can only be used on subsequent TCP connects"? To my knowledge, even stateful firewalls do not keep that kind of long-term state between connections, just for the sake of dropping legal-by-specification packets. Commented Nov 4 at 10:19
  • just for the sake of dropping legal-by-specification packets - ideally, but modern UTM appliances have long passed that point and filter most packets out of the ordinary, increasing ossification. Commented Nov 4 at 10:22

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.