2009/3/12 Stuart VanZee <[email protected]>: > > it doesn't seem possible to implement a rule that blocks > these packets while still using packet normalization (scrub) > since scrub is the first thing that sees a packet and drops > the FIN on a packet that has SYN+FIN set (at least that is > how I understand it).
Suppose you use an OpenBSD bridge (=extra hardware) in front of your firewall, like so: Internet <==> OpenBSD bridge <==> OpenBSD firewall <==> intranet You could have scrubbing turned off at the bride and block the SYN+FIN packets at the bridge. Then, at the firewall, you have scrubbing turned on and get those cutey packets all squeaky clean. Now instead of calculating the risk of being dropped by the Payment Card industry like a hot potato against the risk of not scrubbing or otherwise making technical compromises to placate them, you get to make an entirely different calculation: Weighing the cost of (and possible latency introduced by) one extra box against the cost of the aforementioned shenanigans. OTOH, if this affects you, then maybe you could also weigh the cost of hiring a major OpenBSD developer to implement a new feature that could make it possible to configure your pf.conf to exempt SYN+FIN packets from scrubbing and/or deal with them separately against the cost of the said above shenanigans. Well, those are just my 2 eurocents. regards, --ropers
