From owner-freebsd-security@FreeBSD.ORG Sun Nov 23 20:43:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1B341065673 for ; Sun, 23 Nov 2008 20:43:07 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 50EA38FC16 for ; Sun, 23 Nov 2008 20:43:07 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=QTP25pzitPxJNv8QenbNewxrTsWil9CZdVIs/I8fm/7S//c4xtQ9DpbP0L6brKpBSlUtm7SkWMSh8Y4RgSfWWSdjBFceNIsWbFuS5R+Gwb2I+O6BH840Kytz3uwi1sSqCZLa0Rxags/l7m30evAzmOk/SNwZ9UkD0zPifPocP7g=; Received: from phoenix.codelabs.ru (ppp83-237-105-112.pppoe.mtu-net.ru [83.237.105.112]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L4LnN-000Ioa-M5; Sun, 23 Nov 2008 23:43:05 +0300 Date: Sun, 23 Nov 2008 23:43:03 +0300 From: Eygene Ryabinkin To: Eirik ?verby Message-ID: <+ug4ae9RHVVTC7ztvaDEPTyd/iQ@iXA9ZWPrtc2I2BMzBXoToMd7YdQ> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Yylu36WmvOXNoKYn" Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 20:43:07 -0000 --Yylu36WmvOXNoKYn Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Eirik, good day. Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen =20 > FreeBSD servers. Now we're required to run external security scans =20 > (nessus++) on some of the hosts, and they constantly come back with a =20 > "high" or "medium" severity problem: The host replies to TCP packets =20 > with SYN+FIN set. >=20 > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the =20 > host in question (recent FreeBSD 7.2-PRERELEASE) have =20 > net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a non-= =20 > issue. First of all, (if I am correct) your firewall's setting for drop_synfin isn't relevant for the packets that are traversing the firewall: TCP input layer drops these and firewall isn't using this layer. The easy way to identify if there are replies to SYN+FIN is to spawn tcpdump on the firewall and see what's going on. It may be well so that the some sort of scrubbing/modulation is done on the firewall, so when firewall notices that the SYN + FIN is blackholed, it generates RST by itself or just blocks SYN + FIN by itself, but sends RST. I am making guesses here, because I can't test it just now and I have no idea about your setup. If I remember correctly, pf is used on the pfSense, so you can easily block SYN + FIN on the ingress port(s): ----- block in quick on $ingress proto tcp from any to \ flags SF/ASF ----- --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --Yylu36WmvOXNoKYn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkpwFcACgkQthUKNsbL7YiV2QCeKurUukEsBycqUycqGGRfsSoc StoAn1BUpH0BY3ZHH6k6iaFa2nbgETcX =bkV6 -----END PGP SIGNATURE----- --Yylu36WmvOXNoKYn--