Eirik, good day. Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. > > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > host in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- > issue.
First of all, (if I am correct) your firewall's setting for drop_synfin
isn't relevant for the packets that are traversing the firewall: TCP
input layer drops these and firewall isn't using this layer.
The easy way to identify if there are replies to SYN+FIN is to spawn
tcpdump on the firewall and see what's going on. It may be well so that
the some sort of scrubbing/modulation is done on the firewall, so when
firewall notices that the SYN + FIN is blackholed, it generates RST by
itself or just blocks SYN + FIN by itself, but sends RST. I am making
guesses here, because I can't test it just now and I have no idea about
your setup.
If I remember correctly, pf is used on the pfSense, so you can easily
block SYN + FIN on the ingress port(s):
-----
block in quick on $ingress proto tcp from any to <protected_hosts> \
flags SF/ASF
-----
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
pgpyD5zHngSlG.pgp
Description: PGP signature
