Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Nov 2008 03:45:16 +0100
From:      Jesper Wallin <jesper@nohack.se>
To:        Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Dropping syn+fin replies, but not really?
Message-ID:  <20081125024516.GA81845@zero.nohack.se>
In-Reply-To: <%2Bug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>
References:  <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net> <%2Bug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>

next in thread | previous in thread | raw e-mail | index | archive | help
* Eygene Ryabinkin <rea-fbsd@codelabs.ru> [2008-11-23 23:43:03 +0300]:

> Eirik, good day.
> 
> Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote:
> > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen  
> > FreeBSD servers. Now we're required to run external security scans  
> > (nessus++) on some of the hosts, and they constantly come back with a  
> > "high" or "medium" severity problem: The host replies to TCP packets  
> > with SYN+FIN set.
> > 
> > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the  
> > host in question (recent FreeBSD 7.2-PRERELEASE) have  
> > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- 
> > issue.
> 
> First of all, (if I am correct) your firewall's setting for drop_synfin
> isn't relevant for the packets that are traversing the firewall: TCP
> input layer drops these and firewall isn't using this layer.
> 
> The easy way to identify if there are replies to SYN+FIN is to spawn
> tcpdump on the firewall and see what's going on.  It may be well so that
> the some sort of scrubbing/modulation is done on the firewall, so when
> firewall notices that the SYN + FIN is blackholed, it generates RST by
> itself or just blocks SYN + FIN by itself, but sends RST.  I am making
> guesses here, because I can't test it just now and I have no idea about
> your setup.
> 
> If I remember correctly, pf is used on the pfSense, so you can easily
> block SYN + FIN on the ingress port(s):
> -----
> block in quick  on $ingress proto tcp from any to <protected_hosts> \
>   flags SF/ASF
> -----

Might worth pointing out that if pfSense indeed uses pf, and it's setup to use the "scrub" option, a packet with SYN/FIN will simply have the FIN bit removed and the packet is delivered as a normal SYN packet. This will probably cause most pen-testing software to believe that the target host accepts packets with SYN/FIN set.

Come to think of it, I wrote a similar post about this a few years ago:
http://lists.freebsd.org/pipermail/freebsd-security/2005-July/003010.html

Though, don't use that "patch" unless you know what you're doing, especially since it's written ages ago and the source has probably been modified both once or twice by now. :-)


Regards,
Jesper

> -- 
> Eygene
>  _                ___       _.--.   #
>  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
>  /  ' `         ,       __.--'      #  to read the on-line manual   
>  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
>  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
>      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
>     {_.-``-'         {_/            #




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081125024516.GA81845>