On Fri, Aug 30, 2002 at 08:39:47AM +0200, Ed White wrote: > For example, nmap -sS could be stopped with the right block rule, but if > I'll use -current "scrub in all" what will PF do ? > I believe that packet will pass "scrub" untouched. > Right ? ;-)
A scrub rule like this will certainly affect incoming packets. Fragments get reassembled (if they're properly fragmented) and invalid packets get dropped. The purpose of 'scrub', however, is not to defeat an OS detection, in fact it might give a scanner certain clues that scrubbing is going on (as anything the packet filter does). And it doesn't affect nmap -sS scans, since they are not made of fragmented or invalid packets, but basically valid TCP handshakes that never complete. Daniel
