[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: packets with SYN and FIN set not discarded! what does "scrub" actually do ?



Daniel Hartmeier said:
> On Sun, Jan 25, 2004 at 02:59:16PM +0100, Per-Olov Sjöholm wrote:
>
>> I know the purpose of the flag mask... But I thought Daniel Hartmeier
>> said
>> that F is cleared by scrub if it's in a combination with S, and therefor
>> should combinations like S/SAF or S/SAFR not be necessary.
>> And the problem is that scrub according to a "nessus" scan doesn't clear
>> the F flag.
>> If I have S/SA on an accept rule and a generic scrub statement I would
>> according to what Daniel Hartmeier said assume the following:
>> The F flag should be cleared by scrub !
>> Either I specifies the scrub statement wrong or totally missunderstand
>> something here...
>
> If your scrub rule matches (pfctl -vsr packet vs. evaluation counters
> will tell), the FIN bit is cleared. Afterwards, the filter rules are
> evaluated. If a pass rule matches (flags S/SA would match, as would
> flags S/SAF, since FIN is already cleared at that point), the packet is
> passed, and the receipient will likely return a SYN+ACK.
>
> That might cause nessus to report the SYN+FIN has penetrated the
> firewall, but it hasn't really. You explicitely allowed the connection
> with the pass rule. If you change the rules to block the connection
> instead (based on port, not flags), it is blocked. nessus can't bypass
> the ruleset by using SYN+FIN, and its report is misleading. It can't
> tell whether the FIN was removed (from the SYN+ACK it gets back). It can
> only send the SYN+FIN and check whether a SYN+ACK comes back, then draw
> (wrong) conclusions.
>
> I'd just ignore the warning. If you have doubts, run tcpdump on the
> internal interface (or the receipient), and try to bypass a block rule
> with nessus.
>
> Daniel
>
Thank you Daniel.
Now it's crystal clear.
Regards
Per-Olov Sjöholm