Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense disable tcp timestamps RFC1323

    Firewalling
    5
    8
    4058
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      klonet last edited by

      Hi,
      After vulnerabilty scan on pfsense server  2.3.2-RELEASE (amd64), I need mitigate this vulnerabily:

      It was detected that the host implements RFC1323.

      any idea?
      Thank
      Stefani

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        And who/what says that should be off?

        [2.3.2-RELEASE][root@pfsense.local.lan]/root: sysctl net.inet.tcp.rfc1323
        net.inet.tcp.rfc1323: 1
        [2.3.2-RELEASE][root@pfsense.local.lan]/root:

        You should be able to adjust that in the tunable section..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • K
          klonet last edited by

          Hello,

          Ossim - Vulnerability Scan  detect host implements RFC1323 as vulnerability

          Vulnerability Detection Result:

          It was detected that the host implements RFC1323.

          Insight:

          The remote host implements TCP timestamps, as defined by RFC1323.

          Summary:

          The remote host implements TCP timestamps and therefore allows to compute
          the uptime.

          Solution:

          To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
          /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            It is also very useful thing ;)  The risk is pretty freaking low!! An attacker might be able to take a guess to how long the system has been up.  So from that if you leave your systems up for years and years guess possible they could tell if you have applied say a patch..

            So if you ask me that would be some attempt at security via obscurity which as we all know is not security..

            I do believe in PCI compliance is considered a very low risk even.  Been awhile since had to do anything of that nature..

            Is this some work thing where you got scanned and boss is saying take care of these items?  Or did you scan your self and following advice without understanding the specific risk and why they list is a issue in the first place?

            I would highly suggest you do some research on the validity of turning stuff off settings like these for security reasons, it could have issues with your overall performance, etc. Quite often the security reasoning is really really flimsy..

            edit: pfsense is not linux ;)  You can make such settings in the
            System / Advanced / System Tunables

            If I am not mistaken without timestamps you dont have protection against sequence number wrapping..  My advice don't just do everything some scanner says is a security vulnerability

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66 last edited by

              From a quick search, it looks like PF packet scrubbing randomizes the RFC1323 timestamp. I see this for sure with OpenBSD documentation, but I found a reference to a FreeBSD config option to disable scrubbing if you need RFC1323 not manipulated.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Also make sure you are actually scanning the firewall for that. Frequently when people find results that look abnormal they realize later they are hitting a port forward/nat reflection and they're getting a result from their internal server and NOT from pfSense itself.

                Also many things you see referenced from the IP stack in sysctl only affect traffic that terminates at the firewall, not traffic that passes through.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • C
                  chrcoluk last edited by

                  the rfc1323 when disabled also disables large tcp windows, that would cause performance issues when pfsense is the end point e.g. when a VPN is configured.  The timestamps so called security issue is nothing important to worry about.

                  pfSense 2.6.0 - ISP AAISP UK

                  1 Reply Last reply Reply Quote 0
                  • H
                    Harvy66 last edited by

                    @chrcoluk:

                    the rfc1323 when disabled also disables large tcp windows, that would cause performance issues when pfsense is the end point e.g. when a VPN is configured.  The timestamps so called security issue is nothing important to worry about.

                    I had to look this up. TCP window scaling requires timestamps to protect against certain corner cases. Like chrcoluk said, disabling timestamps will limit your TCP window to at most 64KiB.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post