From owner-freebsd-security Sun Dec 16 23:31: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182]) by hub.freebsd.org (Postfix) with SMTP id 0C32337B416 for ; Sun, 16 Dec 2001 23:31:05 -0800 (PST) Received: (qmail 94628 invoked by uid 1000); 17 Dec 2001 07:31:03 -0000 Date: Mon, 17 Dec 2001 09:31:03 +0200 From: Paulius Bulotas To: freebsd-security@freebsd.org Subject: options TCP_DROP_SYNFIN Message-ID: <20011217073102.GA94480@noname> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, in LINT there is a comment for ^ option: # TCP_DROP_SYNFIN adds support for ignoring TCP packets with # SYN+FIN. This prevents nmap et al. from identifying the # TCP/IP stack, but breaks support for RFC1644 extensions # and is not recommended for web servers. So, what's wrong, if it will be included/enabled on web server? I've read rfc quickly, but haven't found anything that would be useful for web servers (or that's only intended for future use?) and was really used at this time widely. Anyone can explain, why enabling this option is wrong on web server? Regards, Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message