Hi everyone, I‘m running OpenBSD 6.5 (release) on a server with a public IP but very limiting pf rules. I ran a nmap -sn on the corresponding address from another host to verify that it isn‘t detectable with a simple ICMP scan (please don‘t start a discussion how important this is - I do not say this is a real security benefit, I just like it on top of other security considerations).
However, nmap unexpectedly returned ‚Host is up‘. Debugging output shows that the server responded with a TCP RA flag. This stumped me, because IMHO ‚block all‘ (which I really tested in the end as single rule with a seperate pf.config) results in ‚block drop all‘ by default, confirmed via pfctl -s rules. Can someone point out me what I misunderstood here? My assumption was pf would really silently drop, including the absence of a TCP response. Thanks, Dominique
