carlopmart wrote: > block in quick on egress inet proto tcp from any to any flags /S label > "Traffic \ > Denied" block in quick on egress inet proto tcp from any to any flags /SFRA > label \ > "Traffic Denied" block in quick on egress inet proto tcp from any to any > flags /SFRAU \ > label "Traffic Denied" block in quick on egress inet proto tcp from any to > any flags \ > A/A label "Traffic Denied" block in quick on egress inet proto tcp from any > to any \ > flags F/SFRA label "Traffic Denied" block in quick on egress inet proto tcp > from any \ > to any flags U/SFRAU label "Traffic Denied" block in quick on egress inet > proto tcp \ > from any to any flags SF/SF label "Traffic Denied" block in quick on egress > inet \ > proto tcp from any to any flags SF/SFRA label "Traffic Denied" block in quick > on \ > egress inet proto tcp from any to any flags SR/SR label "Traffic Denied" > block in \ > quick on egress inet proto tcp from any to any flags FUP/FUP label "Traffic > Denied" \ > block in quick on egress inet proto tcp from any to any flags FUP/SFRAUPEW > label \ > "Traffic Denied" block in quick on egress inet proto tcp from any to any > flags \ > SFRAU/SFRAU label "Traffic Denied" block in quick on egress inet proto tcp > from any \ > to any flags SFRAUP/SFRAUP label "Traffic Denied" >
I believe above monster block (I'd say my early ipf-based setups did so) is redundant since all TCP packets with incorrect flags' combinations are dropped by corresponding "scrub" rule. Alexey
