Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Nov 2008 10:44:25 +0100
From:      Jan Stary <hans@stare.cz>
To:        Eirik ?verby <ltning@anduin.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Dropping syn+fin replies, but not really?
Message-ID:  <20081124094425.GA29802@www.stare.cz>
In-Reply-To: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
References:  <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 23 17:03:15, Eirik ?verby wrote:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen  
> FreeBSD servers. Now we're required to run external security scans  
> (nessus++) on some of the hosts, and they constantly come back with a  
> "high" or "medium" severity problem: The host replies to TCP packets  
> with SYN+FIN set.

Aparently, nessus thinks that replying to SYNFIN packets at all is
a problem. But it thinks so because you configured it to thinks so,
right? Or is this hardwired into nessus? Also, why would nessus
sometimes think that it's a "high" severity problem, and at other
times, it's a "medium" severity problem?

> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the  
> host in question (recent FreeBSD 7.2-PRERELEASE) have  
> net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- 
> issue.

It you configured your firewall and servers to NOT reply to SYNFIN packets,
and the still do, then this is a configuration issue itself.

How you also checked with other tools to find whether your servers reply
to SYNFIN, or do you trust nessus who says so?

	Jan




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081124094425.GA29802>