Hi ! A friend yesterday scanned my firewall with nessus. One thing he found was that nessus said: "The remote host does not discard TCP SYN packet which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules."
I do however use: block log all scrub in on $INTERNET_INT all fragment reassemble And on all incoming TCP "permit" rules I use "S/SA" as the flag combination. I have earlier used rules like: block in log quick on $ALL_INTERFACES inet proto tcp from any to any flags UAPRSF/UAPRSF block in log quick on $ALL_INTERFACES inet proto tcp from any to any flags PUF/PUF But I removed these as I assumed that "scrub" would block all illegal flag combinations for me. Questions: * What does "scrub" actually do? Can't find much in the pf.conf man page. * Do I have to manually block all illegal flag combinations as I earlier used to do when I used ipfilter? I have not looked any deeper into this as I know there are a lot of bright people on this list that probably know this... Thanks in advance Per-Olov Sj�holm
