On Mon, Jun 14, 2010 at 12:50 AM, Patrick Coleman <blin...@gmail.com> wrote: > The strange thing is that occasionally, the OpenBSD box will reply to > the gratuitous traffic with a spoofed TCP RST. For example, see [1] - > a TCP connection was initiated from 203.135.184.10 (an OSX server) to > 203.135.184.6 (a Linux server), which is on the same subnet. The > connection is immediately closed, apparently by 203.135.184.6 - but if > you look at the MAC addresses it's a spoofed packet from the OpenBSD > box, which is normally 203.135.184.33.
> In my pf.conf I have "match in all scrub (reassemble tcp)" and > "antispoof log for $interfaces" and nothing else that isn't a simple > pass/block or NAT rule. I'm not ruling out some sort of config error > here, because I'm pretty new to OpenBSD and pf, though my > understanding is that the above won't cause RSTs to be sent for > layer-two traffic not sent to the OpenBSD box in question. What happens if you disable antispoof? You're getting packets on an interface that doesn't expect them, which is exactly what antispoof is supposed to block.
