quoting <http://www.openbsd.org/faq/pf/filter.html>
<quote> IP Options By default, PF blocks packets with IP options set. This can make the job more difficult for "OS fingerprinting" utilities like nmap. If you have an application that requires the passing of these packets, such as multicast or IGMP, you can use the allow-opts directive: pass in quick on fxp0 all allow-opts </quote> Am I correct in thinking that this line effectively passes *all* traffic in on fxp0 with no more checking because of the 'quick' option? One of our network folk was trying to get multicast working and found mention of 'allow-opts' and being necessary. Found this in the FAQ and naively cut and pasted it into our production rule set. A couple of hours later we found that we had half a dozen unpatched SQL servers on campus :( Surely in the context of the FAQ this rule should not have quick so that subsequent block rules will take effect. Please note I'm not blaming the FAQ for what happened to us. I'm perfectly clear that it is *our* responsibility to make sure we understand the consequences of the changes we make to our rule sets and that anyone who cut and pastes stuff without being quite sure that they understands what they are doing deserves what they get :) Sigh.... Russell