From owner-freebsd-security Thu Jan 20 21:26:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 5334215493 for ; Thu, 20 Jan 2000 21:26:12 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id VAA56412; Thu, 20 Jan 2000 21:21:36 -0800 (PST) (envelope-from dillon) Date: Thu, 20 Jan 2000 21:21:36 -0800 (PST) From: Matthew Dillon Message-Id: <200001210521.VAA56412@apollo.backplane.com> To: Brett Glass Cc: Alfred Perlstein , security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths References: <4.2.2.20000120182425.01886ec0@localhost> <20000120195257.G14030@fw.wintelcom.net> <4.2.2.20000120220649.018faa80@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :How about one of the "golden" releases along 3.X-STABLE? After all, those :of us who are conservative will not be deploying 4.X in mission-critical :applications until the 4.1 or 4.2 point release (depending on how well :things go). : :I'd certainly like to see TCP_RESTRICT_RST on by default. Blocking RSTs :is getting to be a standard feature. Our lab's Windows boxes run BlackIce :Defender, which does this, and it makes them pretty resilient. : :And is there any reason NOT to turn on TCP_DROP_SYNFIN? : :--Brett I think it's a bad idea to make anything that breaks the protocol standard the default. I don't like the idea of always dropping (instead of sending an RST) - it's much better to band-limit the rate to deal with D.O.S. attacks and follow the protocol spec at all other times. For the same reason I don't particularly like the idea of killing SYN+FIN gratuitously. I couldn't care less whether nmap is able to identify my machine or not, but I care greatly about protocol breakage. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message