Dropping syn+fin replies, but not really?
Jan Stary
hans at stare.cz
Mon Nov 24 01:57:26 PST 2008
On Nov 23 17:03:15, Eirik ?verby wrote:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen
> FreeBSD servers. Now we're required to run external security scans
> (nessus++) on some of the hosts, and they constantly come back with a
> "high" or "medium" severity problem: The host replies to TCP packets
> with SYN+FIN set.
Aparently, nessus thinks that replying to SYNFIN packets at all is
a problem. But it thinks so because you configured it to thinks so,
right? Or is this hardwired into nessus? Also, why would nessus
sometimes think that it's a "high" severity problem, and at other
times, it's a "medium" severity problem?
> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the
> host in question (recent FreeBSD 7.2-PRERELEASE) have
> net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non-
> issue.
It you configured your firewall and servers to NOT reply to SYNFIN packets,
and the still do, then this is a configuration issue itself.
How you also checked with other tools to find whether your servers reply
to SYNFIN, or do you trust nessus who says so?
Jan
More information about the freebsd-security
mailing list