[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Filter on packet content



Hi all. My company recently underwent the first stages of a security review by a third-party. In this first stage they gathered information about our network via publicly accessible records and such, and did some port scans and some other light probing to see what they could detect on our network.

The one thing that stuck out to me was this (from their report): "remote host does not discard TCP SYN packets that also have the FIN flag set." This note appeared for every visible server they probed. Now, I thought (based on the PF FAQ) that doing a scrub on incoming packets would stop this from happening. The first line (well, 2nd really) of my pf.conf is "scrub in all".

Is something odd going on here? All of our servers they probed are behind the firewall, so the scrub rule is in effect for all of them. Is scrub just cleaning the packets instead of dropping them outright?

PS.  the actual first line of my pf.conf is:
# It puts the lotion on the packets... ;)