Eirik Øverby <[EMAIL PROTECTED]> writes: > I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen > FreeBSD servers. Now we're required to run external security scans > (nessus++) on some of the hosts, and they constantly come back with a > "high" or "medium" severity problem: The host replies to TCP packets > with SYN+FIN set. > > Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the > host in question (recent FreeBSD 7.2-PRERELEASE) have > net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a > non- issue.
I added drop_synfin for one reason and one reason only: it prevented nmap from reliably identifying a FreeBSD machine, and at the time, that was sufficient to ward off the kind of script kiddies that would regularly attack EFNet IRC servers. I don't think SYN+FIN packets were ever a security issue, and I'm surprised Nessus thinks they are. Perhaps someone read about drop_synfin and misunderstood its purpose? Back to the issue at hand: you should use tcpdump to double-check nessus's findings. Who knows, perhaps drop_synfin was broken in a network stack reorganization. DES -- Dag-Erling Smørgrav - [EMAIL PROTECTED] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
