Read the old posting ( just a few days old) from me with the answer from Daniel Hartmeier.
The subject of that posting was "Re: packets with SYN and FIN set not discarded!" I think as said that it's a false positive as scrub removed the FIN from the packet. And then the pass rule with the S/SA ( I assume) matches (as the FIN is gone). Daniel says in the reply the scanner can only see what is sent and what came back in the reply and traw the wrong conclusions. I Assume that a pass rule with S/SAF instead of S/SA will avoid the false positive but will not change anything. Regards /Per-Olov James Cammarata said: > Hi all. My company recently underwent the first stages of a security > review by a third-party. In this first stage they gathered information > about our network via publicly accessible records and such, and did some > port scans and some other light probing to see what they could detect on > our network. > > The one thing that stuck out to me was this (from their report): "remote > host does not discard TCP SYN packets that also have the FIN flag > set." This note appeared for every visible server they probed. Now, I > thought (based on the PF FAQ) that doing a scrub on incoming packets would > stop this from happening. The first line (well, 2nd really) of my > pf.conf > is "scrub in all". > > Is something odd going on here? All of our servers they probed are behind > the firewall, so the scrub rule is in effect for all of them. Is scrub > just cleaning the packets instead of dropping them outright? > > PS. the actual first line of my pf.conf is: > # It puts the lotion on the packets... ;) > >
