Daniel Hartmeier said: > On Sun, Jan 25, 2004 at 02:59:16PM +0100, Per-Olov Sj�holm wrote: > >> I know the purpose of the flag mask... But I thought Daniel Hartmeier >> said >> that F is cleared by scrub if it's in a combination with S, and therefor >> should combinations like S/SAF or S/SAFR not be necessary. >> And the problem is that scrub according to a "nessus" scan doesn't clear >> the F flag. >> If I have S/SA on an accept rule and a generic scrub statement I would >> according to what Daniel Hartmeier said assume the following: >> The F flag should be cleared by scrub ! >> Either I specifies the scrub statement wrong or totally missunderstand >> something here... > > If your scrub rule matches (pfctl -vsr packet vs. evaluation counters > will tell), the FIN bit is cleared. Afterwards, the filter rules are > evaluated. If a pass rule matches (flags S/SA would match, as would > flags S/SAF, since FIN is already cleared at that point), the packet is > passed, and the receipient will likely return a SYN+ACK. > > That might cause nessus to report the SYN+FIN has penetrated the > firewall, but it hasn't really. You explicitely allowed the connection > with the pass rule. If you change the rules to block the connection > instead (based on port, not flags), it is blocked. nessus can't bypass > the ruleset by using SYN+FIN, and its report is misleading. It can't > tell whether the FIN was removed (from the SYN+ACK it gets back). It can > only send the SYN+FIN and check whether a SYN+ACK comes back, then draw > (wrong) conclusions. > > I'd just ignore the warning. If you have doubts, run tcpdump on the > internal interface (or the receipient), and try to bypass a block rule > with nessus. > > Daniel >
Thank you Daniel. Now it's crystal clear. Regards Per-Olov Sj�holm
