Henning Brauer skrev:
not sure wether it wouldn't be smarter to just have pf scrub drop these as well.--- pf_norm.c Sat Mar 21 12:17:44 2009 +++ pf_norm.c.orig Sat Mar 21 12:16:56 2009 @@ -782,11 +782,8 @@ flags = th->th_flags; if (flags & TH_SYN) { /* Illegal packet */ + if (flags & (TH_RST|TH_FIN)) - if (flags & TH_RST) goto tcp_drop; - - if (flags & TH_FIN) - flags &= ~TH_FIN; } else { /* Illegal packet */ if (!(flags & (TH_ACK|TH_RST)))
IMHO: Yes it is smarter. Will save time spent on the "External Security Consultants". /Johan
