Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Nov 2008 23:43:03 +0300
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        Eirik ?verby <ltning@anduin.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Dropping syn+fin replies, but not really?
Message-ID:  <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>
In-Reply-To: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
References:  <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--Yylu36WmvOXNoKYn
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Eirik, good day.

Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen =20
> FreeBSD servers. Now we're required to run external security scans =20
> (nessus++) on some of the hosts, and they constantly come back with a =20
> "high" or "medium" severity problem: The host replies to TCP packets =20
> with SYN+FIN set.
>=20
> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the =20
> host in question (recent FreeBSD 7.2-PRERELEASE) have =20
> net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a non-=
=20
> issue.

First of all, (if I am correct) your firewall's setting for drop_synfin
isn't relevant for the packets that are traversing the firewall: TCP
input layer drops these and firewall isn't using this layer.

The easy way to identify if there are replies to SYN+FIN is to spawn
tcpdump on the firewall and see what's going on.  It may be well so that
the some sort of scrubbing/modulation is done on the firewall, so when
firewall notices that the SYN + FIN is blackholed, it generates RST by
itself or just blocks SYN + FIN by itself, but sends RST.  I am making
guesses here, because I can't test it just now and I have no idea about
your setup.

If I remember correctly, pf is used on the pfSense, so you can easily
block SYN + FIN on the ingress port(s):
-----
block in quick  on $ingress proto tcp from any to <protected_hosts> \
  flags SF/ASF
-----
--=20
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual  =20
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
    {_.-``-'         {_/            #

--Yylu36WmvOXNoKYn
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkpwFcACgkQthUKNsbL7YiV2QCeKurUukEsBycqUycqGGRfsSoc
StoAn1BUpH0BY3ZHH6k6iaFa2nbgETcX
=bkV6
-----END PGP SIGNATURE-----

--Yylu36WmvOXNoKYn--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?+ug4ae9RHVVTC7ztvaDEPTyd/iQ>