On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote: > I understand that this might annoy a few of you, If it does > please accept my apologies. > > The place I work is required to have an external security scan > from time to time and the latest scan says that we have failed > because the firewall responded to a TCP packet that has the SYN > and FIN flags set. I know that OpenBSD isn't vulnerable to the > exploits that use this: > > http://www.kb.cert.org/vuls/id/IAFY-5F8RWP > > However, I don't see any reason to respond to a packet with SYN > and FIN set, AND, a firewall rule that drops said TCP packets > would fix the fact that we are now "non compliant" as far as > the security scan goes. I think a pf rule such as: > > block drop in quick proto tcp all flags SF/SF > > would do it. > > Does anyone see a way that this would come back to bite me on > the ass later?
S/SAFR I just had to deal with this on our customer's PCI scan. Don't argue with the logic, just do it. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
