Date: Thu, 22 May 2014 11:46:40 GMT From: Mark Felder <feld@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/190102: net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ Message-ID: <201405221146.s4MBkeLx066076@cgiserv.freebsd.org> Resent-Message-ID: <201405221150.s4MBo1ld054164@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 190102 >Category: misc >Synopsis: net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 22 11:50:01 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Mark Felder >Release: 10.0-RELEASE >Organization: SupraNet Communications Inc. >Environment: FreeBSD wil.supranet.net 10.0-RELEASE-p3 FreeBSD 10.0-RELEASE-p3 #0: Tue May 13 18:31:10 UTC 2014 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 >Description: net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ >How-To-Repeat: Run this scan on identically configured FreeBSD 9 and FreeBSD 10 servers nmap -v -v --scanflags SYNFIN -P0 <target> FreeBSD 9 servers will report "filtered" which is correct. FreeBSD 10 servers will report "open", which means it is vulnerable to this attack to bypass the firewall. The firewall in use on these machines is pf. It is possible to block SYN/FIN on pf as well, but our standard deployment is the sysctl method. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405221146.s4MBkeLx066076>