Date: Mon, 24 Nov 2008 10:44:25 +0100 From: Jan Stary <hans@stare.cz> To: Eirik ?verby <ltning@anduin.net> Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? Message-ID: <20081124094425.GA29802@www.stare.cz> In-Reply-To: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
index | next in thread | previous in thread | raw e-mail
On Nov 23 17:03:15, Eirik ?verby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. Aparently, nessus thinks that replying to SYNFIN packets at all is a problem. But it thinks so because you configured it to thinks so, right? Or is this hardwired into nessus? Also, why would nessus sometimes think that it's a "high" severity problem, and at other times, it's a "medium" severity problem? > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > host in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- > issue. It you configured your firewall and servers to NOT reply to SYNFIN packets, and the still do, then this is a configuration issue itself. How you also checked with other tools to find whether your servers reply to SYNFIN, or do you trust nessus who says so? Janhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081124094425.GA29802>