Thank you all for the interesting discussion on this issue. I can't prove it but I think I have gained at least one IQ point just from the privilege of reading said responses.
In my case, I think the answer boils down to the fact that it doesn't seem possible to implement a rule that blocks these packets while still using packet normalization (scrub) since scrub is the first thing that sees a packet and drops the FIN on a packet that has SYN+FIN set (at least that is how I understand it). At this point, I don't think I want to stop using scrub just to get a "fail" that doesn't apply to OpenBSD off of my report. Not when I can just as easily put in an appeal along with proof that this particular "vulnerability" doesn't apply to OpenBSD (see initial message for link if you are interested). Again, thanks to those who responded. I have learned a lot from your efforts. Also, a very special thank you to all the developers of OpenBSD/OpenSSH for all the hard work that you do. I have said it before, and say it again; "OpenBSD makes me look smart" (which is not always an easy task). Stuart van Zee stua...@datalinesys.com