Hi everyone,

I‘m running OpenBSD 6.5 (release) on a server with a public IP but very 
limiting pf rules. I ran a nmap -sn on the corresponding address from another 
host to verify that it isn‘t detectable with a simple ICMP scan (please don‘t 
start a discussion how important this is - I do not say this is a real security 
benefit, I just like it on top of other security considerations). 

However, nmap unexpectedly returned ‚Host is up‘. Debugging output shows that 
the server responded with a TCP RA flag. This stumped me, because IMHO ‚block 
all‘ (which I really tested in the end as single rule with a seperate 
pf.config) results in ‚block drop all‘ by default, confirmed via pfctl -s rules.

Can someone point out me what I misunderstood here? My assumption was pf would 
really silently drop, including the absence of a TCP response. 


Reply via email to