SYN+FIN packets and PF
Posted on 2013-09-18
With scrubbing turned on, the PF packet filter "normalizes" packets with the SYN+FIN flags set. A tcpdump on both sides of the firewall shows the packet coming in with SYN+FIN, then passing into the network with only the SYN flag set. With the same rules, a packet with SYN+RST gets dropped.
Why wouldn't the packet filter just drop this packet - is there any circumstance where a TCP packet would legitimately have both of those flags set? And is this something we should block, or is the behaviour of stripping the FIN flag and passing the packet on acceptable?