[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Filter on packet content



You might want to ask the company:
"How could this impact my company profits?" 
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:[email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
James Cammarata
Sent: Wednesday, January 28, 2004 11:30 PM
To: [email protected]
Subject: Filter on packet content
Hi all.  My company recently underwent the first stages of a security review
by a third-party.  In this first stage they gathered information about our
network via publicly accessible records and such, and did some port scans
and some other light probing to see what they could detect on our network.
The one thing that stuck out to me was this (from their report): "remote
host does not discard TCP SYN packets that also have the FIN flag set."
This note appeared for every visible server they probed.  Now, I thought
(based on the PF FAQ) that doing a scrub on incoming packets would 
stop this from happening.   The first line (well, 2nd really) of my pf.conf 
is "scrub in all".
Is something odd going on here?  All of our servers they probed are behind
the firewall, so the scrub rule is in effect for all of them.  Is scrub just
cleaning the packets instead of dropping them outright?
PS.  the actual first line of my pf.conf is:
# It puts the lotion on the packets... ;)