On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jason Dixon wrote: > > > > S/SAFR > > > > I just had to deal with this on our customer's PCI scan. Don't argue > > with the logic, just do it. :) > > Let me guess -- TrustKeeper? We just had to deal with this as well. > Submit an appeal and they should accept it.
Yup. > The "flags S/SAFR" will work unless you are being a good little pf admin > and also scrubbing all the traffic. The problem is pf considers SYN-RST > packets to be illegal and drops them (good) but only considers SYN-FIN > packets to be ambiguous and so it "normalizes" them and clears the FIN > bit (in this case for the PCI scan - bad) Then your server behind the > firewall received what it thinks is a nice clean SYN packet and it sends > back SYN-ACK. Yes, we have our own reasons not to scrub there. Well, *someone* has their reasons. I have to deal with those reasons. ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
