[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: packets with SYN and FIN set not discarded! what does "scrub" actually do ?

On Sun, Jan 25, 2004 at 02:59:16PM +0100, Per-Olov Sjöholm wrote:
> I know the purpose of the flag mask... But I thought Daniel Hartmeier said
> that F is cleared by scrub if it's in a combination with S, and therefor
> should combinations like S/SAF or S/SAFR not be necessary.
> And the problem is that scrub according to a "nessus" scan doesn't clear
> the F flag.
> If I have S/SA on an accept rule and a generic scrub statement I would
> according to what Daniel Hartmeier said assume the following:
> The F flag should be cleared by scrub !
> Either I specifies the scrub statement wrong or totally missunderstand
> something here...
If your scrub rule matches (pfctl -vsr packet vs. evaluation counters
will tell), the FIN bit is cleared. Afterwards, the filter rules are
evaluated. If a pass rule matches (flags S/SA would match, as would
flags S/SAF, since FIN is already cleared at that point), the packet is
passed, and the receipient will likely return a SYN+ACK.
That might cause nessus to report the SYN+FIN has penetrated the
firewall, but it hasn't really. You explicitely allowed the connection
with the pass rule. If you change the rules to block the connection
instead (based on port, not flags), it is blocked. nessus can't bypass
the ruleset by using SYN+FIN, and its report is misleading. It can't
tell whether the FIN was removed (from the SYN+ACK it gets back). It can
only send the SYN+FIN and check whether a SYN+ACK comes back, then draw
(wrong) conclusions.
I'd just ignore the warning. If you have doubts, run tcpdump on the
internal interface (or the receipient), and try to bypass a block rule
with nessus.