From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 17 02:56:58 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3192716A4CF
	for <freebsd-questions@FreeBSD.ORG>;
	Fri, 17 Sep 2004 02:56:58 +0000 (GMT)
Received: from c009.snv.cp.net (h019.c009.snv.cp.net [209.228.34.132])
	by mx1.FreeBSD.org (Postfix) with SMTP id CB96C43D53
	for <freebsd-questions@FreeBSD.ORG>;
	Fri, 17 Sep 2004 02:56:57 +0000 (GMT)
	(envelope-from jdroflet@canada.com)
Received: (cpmta 13974 invoked from network); 16 Sep 2004 19:56:57 -0700
Received: from 209.228.34.115 (HELO mail.canada.com.criticalpath.net)
  by smtp.canada.com (209.228.34.132) with SMTP; 16 Sep 2004 19:56:57 -0700
X-Sent: 17 Sep 2004 02:56:57 GMT
Received: from [66.207.103.173] by mail.canada.com with HTTP;
    Thu, 16 Sep 2004 19:56:56 -0700 (PDT)
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
From: jdroflet@canada.com
X-Sent-From: jdroflet@canada.com
Date: Thu, 16 Sep 2004 19:56:56 -0700 (PDT)
X-Mailer: Web Mail 5.6.4-0
Message-Id: <20040916195657.26606.h002.c009.wm@mail.canada.com.criticalpath.net>
cc: freebsd-security@freebsd.org
Subject: Using TCP_DROP_SYNFIN on DMZ firewall ?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2004 02:56:58 -0000

If I use this setting on the DMZ firewall would it affect a web server
running in the DMZ behind the FW ? The web server IP/port would be
redirected into the DMZ by natd,  or does this only break SYN+FIN if the
web server is running on the same box ?

As stated in LINT:
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN.
This
# prevents nmap et al. from identifying the TCP/IP stack, but breaks
support
# for RFC1644 extensions and is not recommended for web servers.
#
options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN

Thanks, Jon.