The one thing that stuck out to me was this (from their report): "remote host does not discard TCP SYN packets that also have the FIN flag set." This note appeared for every visible server they probed. Now, I thought (based on the PF FAQ) that doing a scrub on incoming packets would stop this from happening. The first line (well, 2nd really) of my pf.conf is "scrub in all".
Is something odd going on here? All of our servers they probed are behind the firewall, so the scrub rule is in effect for all of them. Is scrub just cleaning the packets instead of dropping them outright?
PS. the actual first line of my pf.conf is: # It puts the lotion on the packets... ;)
