[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

packets with SYN and FIN set not discarded! what does "scrub" actually do ?



Hi !
A friend yesterday scanned my firewall with nessus. One thing he found was
that nessus said:
"The remote host does not discard TCP SYN packet which have the FIN flag
set. Depending on the kind of firewall you are using, an attacker may use
this flaw to bypass its rules."
I do however use:
block log all
scrub in on $INTERNET_INT all fragment reassemble
And on all incoming TCP "permit" rules I use "S/SA" as the flag combination.
I have earlier used rules like:
block in log quick on $ALL_INTERFACES inet proto tcp  from any  to any
flags UAPRSF/UAPRSF
block in log quick on $ALL_INTERFACES inet proto tcp  from any  to any
flags PUF/PUF
But I removed these as I assumed that "scrub" would block all illegal flag
combinations for me.
Questions:
* What does "scrub" actually do? Can't find much in the pf.conf man page.
* Do I have to manually block all illegal flag combinations as I earlier
used to do when I used ipfilter?
I have not looked any deeper into this as I know there are a lot of bright
people on this list that probably know this...
Thanks in advance
Per-Olov Sjöholm