I understand that this might annoy a few of you, If it does please accept my apologies.
The place I work is required to have an external security scan from time to time and the latest scan says that we have failed because the firewall responded to a TCP packet that has the SYN and FIN flags set. I know that OpenBSD isn't vulnerable to the exploits that use this: http://www.kb.cert.org/vuls/id/IAFY-5F8RWP However, I don't see any reason to respond to a packet with SYN and FIN set, AND, a firewall rule that drops said TCP packets would fix the fact that we are now "non compliant" as far as the security scan goes. I think a pf rule such as: block drop in quick proto tcp all flags SF/SF would do it. Does anyone see a way that this would come back to bite me on the ass later? Stuart van Zee [email protected] Sage advise requested... fire retardant underwear in place...
