Hi !
A friend yesterday scanned my firewall with nessus. One thing he found was that nessus said: "The remote host does not discard TCP SYN packet which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules."
I do however use: block log all scrub in on $INTERNET_INT all fragment reassemble And on all incoming TCP "permit" rules I use "S/SA" as the flag combination.
The 'S/SA' is what is confusing you here. The syntax for that is: 'accepted/watch'. So pf here is only checking to see if the packets have the S or A flags set, and only accepting those that have the S flag (and not the A flag). All other flags are ignored. If you want to block packets with SF set, you need to put that in the 'watch' section: 'S/SAF'
Exactly which flags you should watch is a subject of much debate. A general consensus at one time was you should say at least 'S/SAFR', but there were various opinions about what else might be a good idea.
Scrub doesn't touch the flags.
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------