Re: Dropping syn+fin replies, but not really?
- From: Dag-Erling Smørgrav <des@xxxxxx>
- Date: Mon, 24 Nov 2008 10:17:50 +0100
Eirik Øverby <ltning@xxxxxxxxxx> writes:
I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen
FreeBSD servers. Now we're required to run external security scans
(nessus++) on some of the hosts, and they constantly come back with a
"high" or "medium" severity problem: The host replies to TCP packets
with SYN+FIN set.
Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the
host in question (recent FreeBSD 7.2-PRERELEASE) have
net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a
non- issue.
I added drop_synfin for one reason and one reason only: it prevented
nmap from reliably identifying a FreeBSD machine, and at the time, that
was sufficient to ward off the kind of script kiddies that would
regularly attack EFNet IRC servers. I don't think SYN+FIN packets were
ever a security issue, and I'm surprised Nessus thinks they are.
Perhaps someone read about drop_synfin and misunderstood its purpose?
Back to the issue at hand: you should use tcpdump to double-check
nessus's findings. Who knows, perhaps drop_synfin was broken in a
network stack reorganization.
DES
--
Dag-Erling Smørgrav - des@xxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- Dropping syn+fin replies, but not really?
- From: Eirik Øverby
- Dropping syn+fin replies, but not really?
- Prev by Date: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
- Next by Date: Re: Dropping syn+fin replies, but not really?
- Previous by thread: Re: Dropping syn+fin replies, but not really?
- Next by thread: Re: Dropping syn+fin replies, but not really?
- Index(es):
Relevant Pages
|
