From owner-freebsd-bugs@FreeBSD.ORG  Thu May 22 11:50:01 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9F997493
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 22 May 2014 11:50:01 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 631B6290E
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 22 May 2014 11:50:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4MBo1fv054165
 for <freebsd-bugs@freefall.freebsd.org>; Thu, 22 May 2014 11:50:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4MBo1ld054164;
 Thu, 22 May 2014 11:50:01 GMT (envelope-from gnats)
Resent-Date: Thu, 22 May 2014 11:50:01 GMT
Resent-Message-Id: <201405221150.s4MBo1ld054164@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Mark Felder <feld@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 22732428
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 22 May 2014 11:46:41 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1019928F3
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 22 May 2014 11:46:41 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
 by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s4MBke3W066077
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 22 May 2014 11:46:40 GMT
 (envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
 by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s4MBkeLx066076;
 Thu, 22 May 2014 11:46:40 GMT (envelope-from nobody)
Message-Id: <201405221146.s4MBkeLx066076@cgiserv.freebsd.org>
Date: Thu, 22 May 2014 11:46:40 GMT
From: Mark Felder <feld@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: misc/190102: net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2014 11:50:01 -0000


>Number:         190102
>Category:       misc
>Synopsis:       net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 22 11:50:01 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Mark Felder
>Release:        10.0-RELEASE
>Organization:
SupraNet Communications Inc.
>Environment:
FreeBSD wil.supranet.net 10.0-RELEASE-p3 FreeBSD 10.0-RELEASE-p3 #0: Tue May 13 18:31:10 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+


>How-To-Repeat:
Run this scan on identically configured FreeBSD 9 and FreeBSD 10 servers


nmap -v -v --scanflags SYNFIN -P0 <target>


FreeBSD 9 servers will report "filtered" which is correct. FreeBSD 10 servers will report "open", which means it is vulnerable to this attack to bypass the firewall.

The firewall in use on these machines is pf. It is possible to block SYN/FIN on pf as well, but our standard deployment is the sysctl method.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: