kern/190102: [tcp] net.inet.tcp.drop_synfin=1 no longer works on FreeBSD 10+ [regression]

Eygene Ryabinkin rea at
Sat May 31 13:57:44 UTC 2014

Fri, May 30, 2014 at 10:58:14AM -0700, hiren panchasara wrote:
> > clearing FIN bit for SYN packets was
> > the standard behaviour of pf since approximately at least 10 years,
> >
> I am curious, what's the rationale for this behavior? Why does PF
> clear the FIN bit for such a packet being a firewall?

My understanding is that it is done to conceal specific reaction of
the host's TCP stack that pf's "scrub" rule protects from the outer
world scanning.
Eygene Ryabinkin                                        ,,,^..^,,,
[ Life's unfair - but root password helps!           | ]
[ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <>

More information about the freebsd-net mailing list