Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Nov 2008 23:43:03 +0300
From:      Eygene Ryabinkin <>
To:        Eirik ?verby <>
Subject:   Re: Dropping syn+fin replies, but not really?
Message-ID:  <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Eirik, good day.

Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen =20
> FreeBSD servers. Now we're required to run external security scans =20
> (nessus++) on some of the hosts, and they constantly come back with a =20
> "high" or "medium" severity problem: The host replies to TCP packets =20
> with SYN+FIN set.
> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the =20
> host in question (recent FreeBSD 7.2-PRERELEASE) have =20
> net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a non-=
> issue.

First of all, (if I am correct) your firewall's setting for drop_synfin
isn't relevant for the packets that are traversing the firewall: TCP
input layer drops these and firewall isn't using this layer.

The easy way to identify if there are replies to SYN+FIN is to spawn
tcpdump on the firewall and see what's going on.  It may be well so that
the some sort of scrubbing/modulation is done on the firewall, so when
firewall notices that the SYN + FIN is blackholed, it generates RST by
itself or just blocks SYN + FIN by itself, but sends RST.  I am making
guesses here, because I can't test it just now and I have no idea about
your setup.

If I remember correctly, pf is used on the pfSense, so you can easily
block SYN + FIN on the ingress port(s):
block in quick  on $ingress proto tcp from any to <protected_hosts> \
  flags SF/ASF
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual  =20
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
    {_.-``-'         {_/            #

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v2.0.9 (FreeBSD)



Want to link to this message? Use this URL: <>