Date: Thu, 16 Sep 2004 19:56:56 -0700 (PDT) From: jdroflet@canada.com To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Cc: freebsd-security@freebsd.org Subject: Using TCP_DROP_SYNFIN on DMZ firewall ? Message-ID: <20040916195657.26606.h002.c009.wm@mail.canada.com.criticalpath.net>
next in thread | raw e-mail | index | archive | help
If I use this setting on the DMZ firewall would it affect a web server running in the DMZ behind the FW ? The web server IP/port would be redirected into the DMZ by natd, or does this only break SYN+FIN if the web server is running on the same box ? As stated in LINT: # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN Thanks, Jon.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040916195657.26606.h002.c009.wm>