From owner-freebsd-security@FreeBSD.ORG  Mon Nov 24 09:17:51 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BDDA61065674
	for <freebsd-security@freebsd.org>;
	Mon, 24 Nov 2008 09:17:51 +0000 (UTC) (envelope-from des@des.no)
Received: from tim.des.no (tim.des.no [194.63.250.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 7E90F8FC12
	for <freebsd-security@freebsd.org>;
	Mon, 24 Nov 2008 09:17:51 +0000 (UTC) (envelope-from des@des.no)
Received: from ds4.des.no (des.no [84.49.246.2])
	by smtp.des.no (Postfix) with ESMTP id 468F86D449;
	Mon, 24 Nov 2008 09:17:50 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 204BF844AD; Mon, 24 Nov 2008 10:17:50 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Eirik =?utf-8?Q?=C3=98verby?= <ltning@anduin.net>
References: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
Date: Mon, 24 Nov 2008 10:17:50 +0100
In-Reply-To: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net> ("Eirik
	=?utf-8?Q?=C3=98verby=22's?= message of "Sun,
	23 Nov 2008 17:03:15 +0100")
Message-ID: <86ej114h4x.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
Subject: Re: Dropping syn+fin replies, but not really?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2008 09:17:51 -0000

Eirik =C3=98verby <ltning@anduin.net> writes:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen
> FreeBSD servers. Now we're required to run external security scans
> (nessus++) on some of the hosts, and they constantly come back with a
> "high" or "medium" severity problem: The host replies to TCP packets
> with SYN+FIN set.
>
> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the
> host in question (recent FreeBSD 7.2-PRERELEASE) have
> net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a
> non- issue.

I added drop_synfin for one reason and one reason only: it prevented
nmap from reliably identifying a FreeBSD machine, and at the time, that
was sufficient to ward off the kind of script kiddies that would
regularly attack EFNet IRC servers.  I don't think SYN+FIN packets were
ever a security issue, and I'm surprised Nessus thinks they are.
Perhaps someone read about drop_synfin and misunderstood its purpose?

Back to the issue at hand: you should use tcpdump to double-check
nessus's findings.  Who knows, perhaps drop_synfin was broken in a
network stack reorganization.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no