From owner-freebsd-security@FreeBSD.ORG  Mon Nov 24 09:57:26 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A415D10656D4
	for <freebsd-security@freebsd.org>;
	Mon, 24 Nov 2008 09:57:26 +0000 (UTC) (envelope-from hans@stare.cz)
Received: from mail.czechdata.cz (mail.czechdata.cz [79.98.73.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 0A8218FC1D
	for <freebsd-security@freebsd.org>;
	Mon, 24 Nov 2008 09:57:25 +0000 (UTC) (envelope-from hans@stare.cz)
Received: from 172.17.4.37 ([172.17.4.37]) by mail.czechdata.cz (602LAN SUITE
	2004) id 368f4bc1; Mon, 24 Nov 2008 10:44:28 +0100
Received: by www.stare.cz (Postfix, from userid 1000)
	id 7C5063174; Mon, 24 Nov 2008 10:44:25 +0100 (CET)
Date: Mon, 24 Nov 2008 10:44:25 +0100
From: Jan Stary <hans@stare.cz>
To: Eirik ?verby <ltning@anduin.net>
Message-ID: <20081124094425.GA29802@www.stare.cz>
References: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-security@freebsd.org
Subject: Re: Dropping syn+fin replies, but not really?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2008 09:57:26 -0000

On Nov 23 17:03:15, Eirik ?verby wrote:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen  
> FreeBSD servers. Now we're required to run external security scans  
> (nessus++) on some of the hosts, and they constantly come back with a  
> "high" or "medium" severity problem: The host replies to TCP packets  
> with SYN+FIN set.

Aparently, nessus thinks that replying to SYNFIN packets at all is
a problem. But it thinks so because you configured it to thinks so,
right? Or is this hardwired into nessus? Also, why would nessus
sometimes think that it's a "high" severity problem, and at other
times, it's a "medium" severity problem?

> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the  
> host in question (recent FreeBSD 7.2-PRERELEASE) have  
> net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- 
> issue.

It you configured your firewall and servers to NOT reply to SYNFIN packets,
and the still do, then this is a configuration issue itself.

How you also checked with other tools to find whether your servers reply
to SYNFIN, or do you trust nessus who says so?

	Jan