Date: Sun, 23 Nov 2008 18:52:54 +0100 From: Pieter de Boer <pieter@thelostparadise.com> To: =?ISO-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net> Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? Message-ID: <49299876.4020702@thelostparadise.com> In-Reply-To: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net> References: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eirik Øverby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. I'd consider this at most a 'low' severity problem. > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the host > in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a > non-issue. Given security tools' (including Nessus') track records of false positives, I wouldn't be surprised if this was one of them. > Have I missed something important? Apart from this the hosts and > services get away without any serious issues, but the security audit > company insists this so-called hole to be closed. It's not a hole, but could possibly aid in bypassing filtering rules (which is quite unlikely in this day and age). It may be wise to find a security company that knows how to interpret and verify Nessus output. If you want to do verification yourself, you could try the following: - Run tcpdump on one of the servers and on the firewall - Run nmap from an external host using the '--scanflags SYNFIN' flag with destination the server. You can let tcpdump only show specific ports and source/destination addresses. It's probably useful to use nmap to scan both ports you know to be open and in use and ports that are filtered. Using the -p option to nmap, you can specify which ports to scan. Perform the nmap scan and look at the tcpdump output to see how your firewall and/or server react. G'luck, Pieter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49299876.4020702>