Dropping syn+fin replies, but not really?
Pieter de Boer
pieter at thelostparadise.com
Sun Nov 23 09:53:07 PST 2008
Eirik Øverby wrote:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen
> FreeBSD servers. Now we're required to run external security scans
> (nessus++) on some of the hosts, and they constantly come back with a
> "high" or "medium" severity problem: The host replies to TCP packets
> with SYN+FIN set.
I'd consider this at most a 'low' severity problem.
> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the host
> in question (recent FreeBSD 7.2-PRERELEASE) have
> net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a
> non-issue.
Given security tools' (including Nessus') track records of false
positives, I wouldn't be surprised if this was one of them.
> Have I missed something important? Apart from this the hosts and
> services get away without any serious issues, but the security audit
> company insists this so-called hole to be closed.
It's not a hole, but could possibly aid in bypassing filtering rules
(which is quite unlikely in this day and age). It may be wise to find a
security company that knows how to interpret and verify Nessus output.
If you want to do verification yourself, you could try the following:
- Run tcpdump on one of the servers and on the firewall
- Run nmap from an external host using the '--scanflags SYNFIN' flag
with destination the server.
You can let tcpdump only show specific ports and source/destination
addresses. It's probably useful to use nmap to scan both ports you know
to be open and in use and ports that are filtered. Using the -p option
to nmap, you can specify which ports to scan.
Perform the nmap scan and look at the tcpdump output to see how your
firewall and/or server react.
G'luck,
Pieter
More information about the freebsd-security
mailing list