[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: packets with SYN and FIN set not discarded! what does "scrub" actually do ?

Daniel Staal said:
> --As off Saturday, January 24, 2004 6:42 PM +0100, Per-Olov Sjöholm
> is alleged to have said:
>> Hi !
>> A friend yesterday scanned my firewall with nessus. One thing he
>> found was that nessus said:
>> "The remote host does not discard TCP SYN packet which have the FIN
>> flag set. Depending on the kind of firewall you are using, an
>> attacker may use this flaw to bypass its rules."
>> I do however use:
>> block log all
>> scrub in on $INTERNET_INT all fragment reassemble
>> And on all incoming TCP "permit" rules I use "S/SA" as the flag
>> combination.
> The 'S/SA' is what is confusing you here.  The syntax for that is:
> 'accepted/watch'.  So pf here is only checking to see if the packets
> have the S or A flags set, and only accepting those that have the S
> flag (and not the A flag).  All other flags are ignored.  If you want
> to block packets with SF set, you need to put that in the 'watch'
> section: 'S/SAF'
> Exactly which flags you should watch is a subject of much debate.  A
> general consensus at one time was you should say at least 'S/SAFR',
> but there were various opinions about what else might be a good idea.
> Scrub doesn't touch the flags.
I know the purpose of the flag mask... But I thought Daniel Hartmeier said
that F is cleared by scrub if it's in a combination with S, and therefor
should combinations like S/SAF or S/SAFR not be necessary.
And the problem is that scrub according to a "nessus" scan doesn't clear
the F flag.
If I have S/SA on an accept rule and a generic scrub statement I would
according to what Daniel Hartmeier said assume the following:
The F flag should be cleared by scrub !
Either I specifies the scrub statement wrong or totally missunderstand
something here...
> Daniel T. Staal
> ---------------------------------------------------------------
> This email copyright the author.  Unless otherwise noted, you
> are expressly allowed to retransmit, quote, or otherwise use
> the contents for non-commercial purposes.  This copyright will
> expire 5 years after the author's death, or in 30 years,
> whichever is longer, unless such a period is in excess of
> local copyright law.
> ---------------------------------------------------------------