stealth firewall ahead years ago, one of those idiots believing in "stealth" "invisible" (hahaha) firewalls found a way to detect an OpenBSD+pf bridge send packet with corrupt protocol (tcp/udp) checksum end host would drop it pf, if told to filter that, sends back an tcp RST or icmp error if specifically told so by the idio^Wguy who wrote the ruleset voila, your "invisible" firewall isn't all that invisible but why should it in the first place