From owner-freebsd-security  Sun Dec 16 23:31: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182])
	by hub.freebsd.org (Postfix) with SMTP id 0C32337B416
	for <freebsd-security@freebsd.org>; Sun, 16 Dec 2001 23:31:05 -0800 (PST)
Received: (qmail 94628 invoked by uid 1000); 17 Dec 2001 07:31:03 -0000
Date: Mon, 17 Dec 2001 09:31:03 +0200
From: Paulius Bulotas <paulius@kaktusas.org>
To: freebsd-security@freebsd.org
Subject: options TCP_DROP_SYNFIN
Message-ID: <20011217073102.GA94480@noname>
Mail-Followup-To: freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.3.24i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello,

in LINT there is a comment for ^ option:
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with 
# SYN+FIN. This prevents nmap et al. from identifying the 
# TCP/IP stack, but breaks support for RFC1644 extensions 
# and is not recommended for web servers.

So, what's wrong, if it will be included/enabled on web server? I've
read rfc quickly, but haven't found anything that would be useful for
web servers (or that's only intended for future use?) and was really
used at this time widely.
Anyone can explain, why enabling this option is wrong on web server?

Regards,
Paulius

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message