Daniel Staal said: > --As off Saturday, January 24, 2004 6:42 PM +0100, Per-Olov Sjöholm > is alleged to have said: > >> Hi ! >> >> A friend yesterday scanned my firewall with nessus. One thing he >> found was that nessus said: >> "The remote host does not discard TCP SYN packet which have the FIN >> flag set. Depending on the kind of firewall you are using, an >> attacker may use this flaw to bypass its rules." >> >> I do however use: >> block log all >> scrub in on $INTERNET_INT all fragment reassemble >> And on all incoming TCP "permit" rules I use "S/SA" as the flag >> combination. > > The 'S/SA' is what is confusing you here. The syntax for that is: > 'accepted/watch'. So pf here is only checking to see if the packets > have the S or A flags set, and only accepting those that have the S > flag (and not the A flag). All other flags are ignored. If you want > to block packets with SF set, you need to put that in the 'watch' > section: 'S/SAF' > > Exactly which flags you should watch is a subject of much debate. A > general consensus at one time was you should say at least 'S/SAFR', > but there were various opinions about what else might be a good idea. > > Scrub doesn't touch the flags.
I know the purpose of the flag mask... But I thought Daniel Hartmeier said that F is cleared by scrub if it's in a combination with S, and therefor should combinations like S/SAF or S/SAFR not be necessary. And the problem is that scrub according to a "nessus" scan doesn't clear the F flag. If I have S/SA on an accept rule and a generic scrub statement I would according to what Daniel Hartmeier said assume the following: The F flag should be cleared by scrub ! Either I specifies the scrub statement wrong or totally missunderstand something here... Thanks Per-Olov > > Daniel T. Staal > > --------------------------------------------------------------- > This email copyright the author. Unless otherwise noted, you > are expressly allowed to retransmit, quote, or otherwise use > the contents for non-commercial purposes. This copyright will > expire 5 years after the author's death, or in 30 years, > whichever is longer, unless such a period is in excess of > local copyright law. > --------------------------------------------------------------- > >