From owner-freebsd-questions@FreeBSD.ORG Thu May 15 11:13:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90D0037B401 for ; Thu, 15 May 2003 11:13:14 -0700 (PDT) Received: from mail.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B249A43F85 for ; Thu, 15 May 2003 11:13:13 -0700 (PDT) (envelope-from munk@mail.munk.nu) Received: from munk by mail.munk.nu with local (Exim 4.14) id 19GNE8-0004yy-10 for freebsd-questions@freebsd.org; Thu, 15 May 2003 19:13:12 +0100 Date: Thu, 15 May 2003 19:13:12 +0100 From: Jez Hancock To: freebsd-questions@freebsd.org Message-ID: <20030515181311.GA19054@users.munk.nu> Mail-Followup-To: freebsd-questions@freebsd.org References: <001001c31b0b$efe77720$c700a8c0@p2000> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001001c31b0b$efe77720$c700a8c0@p2000> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: Securing FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 18:13:14 -0000 On Thu, May 15, 2003 at 07:00:57PM +0100, G D McKee wrote: > Can someone explain to me why the TCP_DROP_SYNFIN option breaks web access? It doesn't seem to have made any changes that I have noticed. I can't find any docs regarding this to explain what it might break. Does anyone know any other variables to add to make me more secure? I imagine it breaks the 'keepalive' functionality of various webservers which allows a webserver to keep a connection alive for a certain period of time to save the browser/client having to keep re-establishing a TCP connection when they browse from one page to another on a site. Would be worth checking the RFC that's mentioned (iirc) in the LINT file to confirm this.