From owner-freebsd-stable Sun Feb 25 4:46: 0 2001 Delivered-To: freebsd-stable@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0AC5F37B4EC for ; Sun, 25 Feb 2001 04:45:57 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA59931; Sun, 25 Feb 2001 13:45:54 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alexandr Kovalenko Cc: Alex Hayward , freebsd-stable@FreeBSD.ORG Subject: Re: Re[2]: ipfw drop syn+fin References: <15867369422.20010225143757@yahoo.com> From: Dag-Erling Smorgrav Date: 25 Feb 2001 13:45:53 +0100 In-Reply-To: Dag-Erling Smorgrav's message of "25 Feb 2001 13:43:57 +0100" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dag-Erling Smorgrav writes: > The size of the files you serve is irrelevant. It's the size of the > requests that matters. But anyway, RFC1644 never went past > "experimental", and T/TCP support is off by default in FreeBSD, so > blocking SYN+FIN segments won't disable anything. One thing I should add, though - there's no real reason to block SYN+FIN segments unless you have a serious reason to believe that your machine is a high-profile target for script and packet kiddies. The TCP_DROP_SYNFIN option was developed for EFNet IRC servers. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message