Date: Thu, 07 Aug 2008 18:40:29 -0400 From: Michael Powell <nightrecon@verizon.net> To: freebsd-questions@freebsd.org Subject: Re: Remote host replies to SYN+FIN Message-ID: <g7fthj$1gf$1@ger.gmane.org> References: <489A8EA3.5030102@el.net> <489B3FFD.308@el.net>
next in thread | previous in thread | raw e-mail | index | archive | help
kalin m wrote: > > does anybody have any idea how to resolve this? > [snip] Not without a lot more information. But I may be able to fathom some wild guess, generically speaking. Only allow connections to set up like this: pass out quick on $ExtIF inet proto tcp all flags S/SA keep state pass in quick on $ExtIF inet proto tcp from any to any port 48080 flags S/SA keep state Notice I included the "keep state" for illustrative purposes. With the latest version of pf this is now the default condition and including it is no longer required. Then either block the SYN+FIN before they reach these rules, or simply allow it to fall through to a generic dumping rule like this: block in quick log on $ExtIF all This way the SYN+FIN doesn't match the rules for legitimate traffic and "falls through" to default block all "non-legitimate" traffic. YMMV - Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?g7fthj$1gf$1>