IPFilter Firewall Race Condition Vulnerability
If IPFilter rulesets are constructed such that "return-rst" and "keep state" overlap, e.g.:
block return-rst in proto tcp from A to V
pass out proto tcp from V' to A' keep state
where A, A', V and V' are hostmasks that can include "any", and the attacker matches against A and A' and the victim matches against V and V', the attacker may exploit a race condition in the state table generation code that results from fr_addstate()'s fault of creating a new state entry for the outgoing RST packet generated by the "return-rst" rule. If a new SYN packet comes in before the state entry created by the RST expires, the state entry will allow the SYN packet to pass through the firewall, and the explicit permissiveness of a "pass out all keep state" or similar rules then allows the SYN-ACK and all successive ACK's to create new state entries. The attacker merely needs to ignore the RST's that are being sent to him and continue to attack the victim.