From owner-freebsd-questions@FreeBSD.ORG  Thu Aug  7 22:38:59 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B904B1065678
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Aug 2008 22:38:59 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 753DB8FC23
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Aug 2008 22:38:59 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1KRE8E-00037t-Cj
	for freebsd-questions@freebsd.org; Thu, 07 Aug 2008 22:38:54 +0000
Received: from 138.88.97.126 ([138.88.97.126])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Thu, 07 Aug 2008 22:38:54 +0000
Received: from nightrecon by 138.88.97.126 with local (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Thu, 07 Aug 2008 22:38:54 +0000
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-questions@freebsd.org
From: Michael Powell <nightrecon@verizon.net>
Date: Thu, 07 Aug 2008 18:40:29 -0400
Lines: 31
Message-ID: <g7fthj$1gf$1@ger.gmane.org>
References: <489A8EA3.5030102@el.net> <489B3FFD.308@el.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7Bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 138.88.97.126
Sender: news <news@ger.gmane.org>
Subject: Re: Remote host replies to SYN+FIN
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: nightrecon@verizon.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2008 22:38:59 -0000

kalin m wrote:

> 
> does anybody have any idea how to resolve this?
> 
[snip]

Not without a lot more information. But I may be able to fathom some wild
guess, generically speaking.

Only allow connections to set up like this:

pass out quick on $ExtIF inet proto tcp  all flags S/SA keep state

pass in quick on $ExtIF inet proto tcp from any to any port 48080 flags S/SA
keep state

Notice I included the "keep state" for illustrative purposes. With the
latest version of pf this is now the default condition and including it is
no longer required.

Then either block the SYN+FIN before they reach these rules, or simply allow
it to fall through to a generic dumping rule like this:

block in quick log on $ExtIF all

This way the SYN+FIN doesn't match the rules for legitimate traffic
and "falls through" to default block all "non-legitimate" traffic.

YMMV - Mike