Date: Wed, 06 Jul 2005 07:39:13 +0200 From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) To: Jesper Wallin <jesper@hackunite.net> Cc: freebsd-security@freebsd.org, Darren Reed <avalon@caligula.anu.edu.au> Subject: Re: packets with syn/fin vs pf_norm.c Message-ID: <86br5gpk72.fsf@xps.des.no> In-Reply-To: <42CAA478.7010806@hackunite.net> (Jesper Wallin's message of "Tue, 05 Jul 2005 17:17:12 %2B0200") References: <200507051428.j65ESjJu001522@caligula.anu.edu.au> <42CAA478.7010806@hackunite.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jesper Wallin <jesper@hackunite.net> writes: > Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c? Because there's no reason for it to be. > Sure, it might be bad/good/whatever dropping packets with SYN/FIN, > but if you decide to do it and add the TCP_DROP_SYNFIN option, then > it should drop them even if you use pf, ipf or ipfw.. No. If you want to drop SYN+FIN frames that pass *through* you (as opposed to those sent *to* you), it's easy enough to add a firewall rule. The TCP_DROP_SYNFIN option should be removed; it has long outlived its original purpose (which was to prevent nmap identification of IRC servers which didn't run ipfw for performance reasons, back in the 3.0 days) DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86br5gpk72.fsf>