From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 17:53:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1828E1065673 for ; Sun, 23 Nov 2008 17:53:07 +0000 (UTC) (envelope-from pieter@thelostparadise.com) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id D3C8E8FC0C for ; Sun, 23 Nov 2008 17:53:06 +0000 (UTC) (envelope-from pieter@thelostparadise.com) Received: from [192.168.1.12] (s55915c9e.adsl.wanadoo.nl [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id E768A61C1D; Sun, 23 Nov 2008 18:53:04 +0100 (CET) Message-ID: <49299876.4020702@thelostparadise.com> Date: Sun, 23 Nov 2008 18:52:54 +0100 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.17 (X11/20080925) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Eirik_=D8verby?= References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Mon, 24 Nov 2008 02:31:16 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 17:53:07 -0000 Eirik Øverby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. I'd consider this at most a 'low' severity problem. > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the host > in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a > non-issue. Given security tools' (including Nessus') track records of false positives, I wouldn't be surprised if this was one of them. > Have I missed something important? Apart from this the hosts and > services get away without any serious issues, but the security audit > company insists this so-called hole to be closed. It's not a hole, but could possibly aid in bypassing filtering rules (which is quite unlikely in this day and age). It may be wise to find a security company that knows how to interpret and verify Nessus output. If you want to do verification yourself, you could try the following: - Run tcpdump on one of the servers and on the firewall - Run nmap from an external host using the '--scanflags SYNFIN' flag with destination the server. You can let tcpdump only show specific ports and source/destination addresses. It's probably useful to use nmap to scan both ports you know to be open and in use and ports that are filtered. Using the -p option to nmap, you can specify which ports to scan. Perform the nmap scan and look at the tcpdump output to see how your firewall and/or server react. G'luck, Pieter