Date: Mon, 24 Nov 2008 10:17:50 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Eirik =?utf-8?Q?=C3=98verby?= <ltning@anduin.net> Cc: freebsd-security@freebsd.org Subject: Re: Dropping syn+fin replies, but not really? Message-ID: <86ej114h4x.fsf@ds4.des.no> In-Reply-To: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net> ("Eirik =?utf-8?Q?=C3=98verby=22's?= message of "Sun, 23 Nov 2008 17:03:15 %2B0100") References: <FD5EC41D-02D2-46A7-9A32-AF500C98BF25@anduin.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eirik =C3=98verby <ltning@anduin.net> writes: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. > > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > host in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=3D1 - I would therefore expect this to be a > non- issue. I added drop_synfin for one reason and one reason only: it prevented nmap from reliably identifying a FreeBSD machine, and at the time, that was sufficient to ward off the kind of script kiddies that would regularly attack EFNet IRC servers. I don't think SYN+FIN packets were ever a security issue, and I'm surprised Nessus thinks they are. Perhaps someone read about drop_synfin and misunderstood its purpose? Back to the issue at hand: you should use tcpdump to double-check nessus's findings. Who knows, perhaps drop_synfin was broken in a network stack reorganization. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ej114h4x.fsf>