From owner-freebsd-security@FreeBSD.ORG  Sun Nov 23 16:41:44 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 53C1D1065670
	for <freebsd-security@freebsd.org>;
	Sun, 23 Nov 2008 16:41:44 +0000 (UTC)
	(envelope-from ltning@anduin.net)
Received: from mail.anduin.net (mail.anduin.net [213.225.74.249])
	by mx1.freebsd.org (Postfix) with ESMTP id 1AB5B8FC13
	for <freebsd-security@freebsd.org>;
	Sun, 23 Nov 2008 16:41:44 +0000 (UTC)
	(envelope-from ltning@anduin.net)
Received: from [212.62.248.147] (helo=[192.168.2.10])
	by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.69 (FreeBSD)) (envelope-from <ltning@anduin.net>)
	id 1L4HQY-000Ngu-Oh
	for freebsd-security@freebsd.org; Sun, 23 Nov 2008 17:03:14 +0100
Message-Id: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
From: =?ISO-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net>
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Sun, 23 Nov 2008 17:03:15 +0100
X-Mailer: Apple Mail (2.929.2)
Subject: Dropping syn+fin replies, but not really?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2008 16:41:44 -0000

Hi all,

I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen  
FreeBSD servers. Now we're required to run external security scans  
(nessus++) on some of the hosts, and they constantly come back with a  
"high" or "medium" severity problem: The host replies to TCP packets  
with SYN+FIN set.

Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the  
host in question (recent FreeBSD 7.2-PRERELEASE) have  
net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- 
issue.

Have I missed something important? Apart from this the hosts and  
services get away without any serious issues, but the security audit  
company insists this so-called hole to be closed.

Anyone?

Thanks,
/Eirik