On Wed, Mar 11, 2009 at 10:54:18AM -0400, Jason Dixon wrote: > On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote: > > I understand that this might annoy a few of you, If it does > > please accept my apologies. > > > > The place I work is required to have an external security scan > > from time to time and the latest scan says that we have failed > > because the firewall responded to a TCP packet that has the SYN > > and FIN flags set. I know that OpenBSD isn't vulnerable to the > > exploits that use this: > > > > http://www.kb.cert.org/vuls/id/IAFY-5F8RWP > > > > However, I don't see any reason to respond to a packet with SYN > > and FIN set, AND, a firewall rule that drops said TCP packets > > would fix the fact that we are now "non compliant" as far as > > the security scan goes. I think a pf rule such as: > > > > block drop in quick proto tcp all flags SF/SF > > > > would do it. > > > > Does anyone see a way that this would come back to bite me on > > the ass later? > > S/SAFR > > I just had to deal with this on our customer's PCI scan. Don't argue > with the logic, just do it. :)
I should clarify, you want to use the above flags on your pass rule. Don't bother with a block rule matching on flags. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
