not sure wether it wouldn't be smarter to just have pf scrub drop
these as well.
--- pf_norm.c Sat Mar 21 12:17:44 2009
+++ pf_norm.c.orig Sat Mar 21 12:16:56 2009
@@ -782,11 +782,8 @@
flags = th->th_flags;
if (flags & TH_SYN) {
/* Illegal packet */
+ if (flags & (TH_RST|TH_FIN))
- if (flags & TH_RST)
goto tcp_drop;
-
- if (flags & TH_FIN)
- flags &= ~TH_FIN;
} else {
/* Illegal packet */
if (!(flags & (TH_ACK|TH_RST)))
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
