I've got a fairly simple test ruleset: #################################################### WAN_IF="em0" LAN_IF="em1"
set block-policy return set state-policy if-bound set require-order yes set debug urgent set loginterface $WAN_IF set skip on lo0 scrub all no-df random-id fragment reassemble block log all # allow routed packets to flow pass out on $LAN_IF inet proto icmp from any to any keep state tagged IN pass out on $LAN_IF inet proto tcp from any to any flags S/SA modulate \ state tagged IN # allow the fw to talk on WAN pass out on $WAN_IF inet proto tcp from ($WAN_IF) to any flags S/SA \ modulate state pass out on $WAN_IF inet proto udp from ($WAN_IF) to any keep state pass out on $WAN_IF inet proto icmp from ($WAN_IF) to any keep state # allow the fw to talk on LAN pass out on $LAN_IF inet proto tcp from ($LAN_IF) to any flags S/SA \ modulate state pass out on $LAN_IF inet proto udp from ($LAN_IF) to any keep state pass out on $LAN_IF inet proto icmp from ($LAN_IF) to any keep state # allow to-be routed traffic in pass in on $WAN_IF inet proto tcp from $WAN_IF:network to any flags \ S/SA modulate state tag IN pass in on $WAN_IF inet proto icmp from $WAN_IF:network to any keep \ state tag IN ##################################################### I've read the code, re-read the FAQs and read the archives, and everything indicates that with bad or ambiguous TCP flags, scrub attempts to make life better. With SF, it will strip the FIN and pass the packet. With SR, it drops the packet. I've proven this to be true, however the one odd thing I'm seeing is that when pf scrubs a packet with SR, it does get droped but not logged. pf_normalize_tcp() does do things a bit differently than others in pf_norm.c, but I don't see any particular problems there. This particular build is a little old (OpenBSD 3.8-current (GENERIC) #200: Tue Oct 18 05:06:23 MDT 2005), but I don't see any changes that should've affected this particular section of code. I'm also seeing this on another box with a considerably larger rule set. Any ideas why this is not logged, or is this operator error? Thanks, -jon
