From owner-freebsd-security@FreeBSD.ORG Tue Nov 25 03:05:09 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DC1A106567F for ; Tue, 25 Nov 2008 03:05:02 +0000 (UTC) (envelope-from jesper@nohack.se) Received: from proxy2.bredband.net (proxy2.bredband.net [195.54.101.72]) by mx1.freebsd.org (Postfix) with ESMTP id 94B858FC2C for ; Tue, 25 Nov 2008 03:05:02 +0000 (UTC) (envelope-from jesper@nohack.se) Received: from ironport.bredband.com (195.54.101.120) by proxy2.bredband.net (7.3.127) id 48DC49FD012721BD for freebsd-security@freebsd.org; Tue, 25 Nov 2008 03:44:47 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnAvAPj1KklV4vw1PGdsb2JhbACBbZFnAQEBATW+CoJ8 Received: from c-35fce255.06-33-6f72652.cust.bredbandsbolaget.se (HELO zero.nohack.se) ([85.226.252.53]) by ironport1.bredband.com with ESMTP; 25 Nov 2008 03:44:47 +0100 Received: by zero.nohack.se (Postfix, from userid 1000) id 91B1311557; Tue, 25 Nov 2008 03:45:16 +0100 (CET) Date: Tue, 25 Nov 2008 03:45:16 +0100 From: Jesper Wallin To: Eygene Ryabinkin Message-ID: <20081125024516.GA81845@zero.nohack.se> Mail-Followup-To: Eygene Ryabinkin , freebsd-security@freebsd.org References: <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> User-Agent: Mutt/1.4.2.3i X-Mailman-Approved-At: Tue, 25 Nov 2008 12:18:09 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 03:05:09 -0000 * Eygene Ryabinkin [2008-11-23 23:43:03 +0300]: > Eirik, good day. > > Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote: > > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > > FreeBSD servers. Now we're required to run external security scans > > (nessus++) on some of the hosts, and they constantly come back with a > > "high" or "medium" severity problem: The host replies to TCP packets > > with SYN+FIN set. > > > > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > > host in question (recent FreeBSD 7.2-PRERELEASE) have > > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- > > issue. > > First of all, (if I am correct) your firewall's setting for drop_synfin > isn't relevant for the packets that are traversing the firewall: TCP > input layer drops these and firewall isn't using this layer. > > The easy way to identify if there are replies to SYN+FIN is to spawn > tcpdump on the firewall and see what's going on. It may be well so that > the some sort of scrubbing/modulation is done on the firewall, so when > firewall notices that the SYN + FIN is blackholed, it generates RST by > itself or just blocks SYN + FIN by itself, but sends RST. I am making > guesses here, because I can't test it just now and I have no idea about > your setup. > > If I remember correctly, pf is used on the pfSense, so you can easily > block SYN + FIN on the ingress port(s): > ----- > block in quick on $ingress proto tcp from any to \ > flags SF/ASF > ----- Might worth pointing out that if pfSense indeed uses pf, and it's setup to use the "scrub" option, a packet with SYN/FIN will simply have the FIN bit removed and the packet is delivered as a normal SYN packet. This will probably cause most pen-testing software to believe that the target host accepts packets with SYN/FIN set. Come to think of it, I wrote a similar post about this a few years ago: http://lists.freebsd.org/pipermail/freebsd-security/2005-July/003010.html Though, don't use that "patch" unless you know what you're doing, especially since it's written ages ago and the source has probably been modified both once or twice by now. :-) Regards, Jesper > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ #