Dropping syn+fin replies, but not really?
- From: Eirik Øverby <ltning@xxxxxxxxxx>
- Date: Sun, 23 Nov 2008 17:03:15 +0100
Hi all,
I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen FreeBSD servers. Now we're required to run external security scans (nessus++) on some of the hosts, and they constantly come back with a "high" or "medium" severity problem: The host replies to TCP packets with SYN+FIN set.
Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the host in question (recent FreeBSD 7.2-PRERELEASE) have net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- issue.
Have I missed something important? Apart from this the hosts and services get away without any serious issues, but the security audit company insists this so-called hole to be closed.
Anyone?
Thanks,
/Eirik
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Dropping syn+fin replies, but not really?
- From: Jan Stary
- Re: Dropping syn+fin replies, but not really?
- From: Dag-Erling Smørgrav
- Re: Dropping syn+fin replies, but not really?
- From: Pieter de Boer
- Re: Dropping syn+fin replies, but not really?
- From: Eygene Ryabinkin
- Re: Dropping syn+fin replies, but not really?
- Prev by Date: Re: ports/128999: [vuxml] [patch] update audio/streamripper to 1.64.0, fix CVE-2008-4829
- Next by Date: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
- Previous by thread: [patch] [vuxml] net/wireshark: fix DoS in SMTP dissector
- Next by thread: Re: Dropping syn+fin replies, but not really?
- Index(es):
Relevant Pages
|
Loading
