Re: Remote host replies to SYN+FIN
does anybody have any idea how to resolve this? thanks.. kalin m wrote: hi all... after setting up a pf rule set on one of newly installed freebsd 7 i did a scan with nessus 3 on that machine the result i got was like this one: http://www.nessus.org/plugins/index.php?view=singleid=11618 how do 'fix' it using pf?... thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Remote host replies to SYN+FIN
kalin m a écrit : does anybody have any idea how to resolve this? thanks.. kalin m wrote: hi all... after setting up a pf rule set on one of newly installed freebsd 7 i did a scan with nessus 3 on that machine the result i got was like this one: http://www.nessus.org/plugins/index.php?view=singleid=11618 how do 'fix' it using pf?... thanks... Hi, I think that you should look at the 'scrub' directive in pf.conf. I think that a 'scrub in all' should block that kind of malformed packets. Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Remote host replies to SYN+FIN
On Aug 7, 2008, at 11:33 AM, kalin m wrote: does anybody have any idea how to resolve this? thanks.. kalin m wrote: hi all... after setting up a pf rule set on one of newly installed freebsd 7 i did a scan with nessus 3 on that machine the result i got was like this one: http://www.nessus.org/plugins/index.php?view=singleid=11618 how do 'fix' it using pf?... Add a pf rule like to pf.conf: block in proto tcp from any flags SF/SF ...? -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Remote host replies to SYN+FIN
i have that in i still get that message from nessus... maybe synproxy or something like S/SAF?! FreeBSD wrote: kalin m a écrit : does anybody have any idea how to resolve this? thanks.. kalin m wrote: hi all... after setting up a pf rule set on one of newly installed freebsd 7 i did a scan with nessus 3 on that machine the result i got was like this one: http://www.nessus.org/plugins/index.php?view=singleid=11618 how do 'fix' it using pf?... thanks... Hi, I think that you should look at the 'scrub' directive in pf.conf. I think that a 'scrub in all' should block that kind of malformed packets. Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Remote host replies to SYN+FIN
thanks... or something like it... i'll try... Chuck Swiger wrote: On Aug 7, 2008, at 11:33 AM, kalin m wrote: does anybody have any idea how to resolve this? thanks.. kalin m wrote: hi all... after setting up a pf rule set on one of newly installed freebsd 7 i did a scan with nessus 3 on that machine the result i got was like this one: http://www.nessus.org/plugins/index.php?view=singleid=11618 how do 'fix' it using pf?... Add a pf rule like to pf.conf: block in proto tcp from any flags SF/SF ...? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Remote host replies to SYN+FIN
kalin m wrote: does anybody have any idea how to resolve this? [snip] Not without a lot more information. But I may be able to fathom some wild guess, generically speaking. Only allow connections to set up like this: pass out quick on $ExtIF inet proto tcp all flags S/SA keep state pass in quick on $ExtIF inet proto tcp from any to any port 48080 flags S/SA keep state Notice I included the keep state for illustrative purposes. With the latest version of pf this is now the default condition and including it is no longer required. Then either block the SYN+FIN before they reach these rules, or simply allow it to fall through to a generic dumping rule like this: block in quick log on $ExtIF all This way the SYN+FIN doesn't match the rules for legitimate traffic and falls through to default block all non-legitimate traffic. YMMV - Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Remote host replies to SYN+FIN
hi all... after setting up a pf rule set on one of newly installed freebsd 7 i did a scan with nessus 3 on that machine the result i got was like this one: http://www.nessus.org/plugins/index.php?view=singleid=11618 how do 'fix' it using pf?... thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]