not sure wether it wouldn't be smarter to just have pf scrub drop these as well.
--- pf_norm.c Sat Mar 21 12:17:44 2009 +++ pf_norm.c.orig Sat Mar 21 12:16:56 2009 @@ -782,11 +782,8 @@ flags = th->th_flags; if (flags & TH_SYN) { /* Illegal packet */ + if (flags & (TH_RST|TH_FIN)) - if (flags & TH_RST) goto tcp_drop; - - if (flags & TH_FIN) - flags &= ~TH_FIN; } else { /* Illegal packet */ if (!(flags & (TH_ACK|TH_RST))) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam