Dropping syn+fin replies, but not really?

Eygene Ryabinkin rea-fbsd at codelabs.ru
Sun Nov 23 12:43:07 PST 2008 

Eirik, good day.

Sun, Nov 23, 2008 at 05:03:15PM +0100, Eirik ?verby wrote:
> I have a FreeBSD based firewall (pfsense) and, behind it, a few dozen  
> FreeBSD servers. Now we're required to run external security scans  
> (nessus++) on some of the hosts, and they constantly come back with a  
> "high" or "medium" severity problem: The host replies to TCP packets  
> with SYN+FIN set.
> 
> Problem: Both the firewall (FreeBSD 6.2-based pfSense 1.2) and the  
> host in question (recent FreeBSD 7.2-PRERELEASE) have  
> net.inet.tcp.drop_synfin=1 - I would therefore expect this to be a non- 
> issue.

First of all, (if I am correct) your firewall's setting for drop_synfin
isn't relevant for the packets that are traversing the firewall: TCP
input layer drops these and firewall isn't using this layer.

The easy way to identify if there are replies to SYN+FIN is to spawn
tcpdump on the firewall and see what's going on.  It may be well so that
the some sort of scrubbing/modulation is done on the firewall, so when
firewall notices that the SYN + FIN is blackholed, it generates RST by
itself or just blocks SYN + FIN by itself, but sends RST.  I am making
guesses here, because I can't test it just now and I have no idea about
your setup.

If I remember correctly, pf is used on the pfSense, so you can easily
block SYN + FIN on the ingress port(s):
-----
block in quick  on $ingress proto tcp from any to <protected_hosts> \
  flags SF/ASF
-----
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081123/f3e16021/attachment.pgp

More information about the freebsd-security mailing list