On Sat, Apr 01, 2006 at 05:01:11AM -0600, Travis H. wrote: > Aside: What combinations of TCP flags does "scrub" filter out?
>From my understanding and a re-reading of pf.conf(5), scrub does no filtering of TCP at all unless you use the 'reassemble tcp' option. Even when it is on, the man page does not seem to hint at any flag-based filtering. However, upon taking a look at the source (http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/net/pf_norm.c?rev=1.106&content-type=text/plain), at about line 1274 the flag-specific checks start to happen. In particular, it looks like if: * SYN and RST are set, the packet is dropped * SYN and FIN are set, the FIN is stripped (disambiguated), and passed * if SYN is not set, and neither ACK nor RST is set, the packet is dropped * if FIN, PSH, or URG are set in any packet that does not have ACK also set, the packet is dropped There are some other checks that happen, but these are the ones that look to be relevant to your particular question. I may have missed something or misread the code, if so, please someone correct me. > Aside: What kinds of packets are considered associated with an active > connection? Will an ICMP unreachable pass be passed in response to a > keep state rule? Based on my reading of pf.conf(5), yes, relevant ICMP error messages will be matched to keep state rules. -jon
