A friend yesterday scanned my firewall with nessus. One thing he found was that nessus said:
"The remote host does not discard TCP SYN packet which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules."
I do however use:
block log all
scrub in on $INTERNET_INT all fragment reassemble
And on all incoming TCP "permit" rules I use "S/SA" as the flag combination.
I have earlier used rules like:
block in log quick on $ALL_INTERFACES inet proto tcp from any to any flags UAPRSF/UAPRSF
block in log quick on $ALL_INTERFACES inet proto tcp from any to any flags PUF/PUF
But I removed these as I assumed that "scrub" would block all illegal flag combinations for me.
SYN+FIN is not an illegal flag combination, just ambiguous in some cases. As one of scrub's jobs is to normalize the ambiguous, it simply strips FIN.
Questions:
* What does "scrub" actually do? Can't find much in the pf.conf man page.
- Validates and reassembles/crops/drops IP fragments, dropping or stripping ambiguous DF bits in the process
- Randomizes IP ID if appropriate
- Enforces a minimum TTL if appropriate
- For TCP flags:
SF/SF -> strips F
SR/SR, /SAR, F/AF, P/AP, U/AU -> drops
strips U if no valid urgent data
- Adjusts TCP MSS if appropriate
- Modulates TCP timestamps if appropriate
* Do I have to manually block all illegal flag combinations as I earlier used to do when I used ipfilter?
No.
