From owner-freebsd-stable Sun Feb 25 5:15:42 2001 Delivered-To: freebsd-stable@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8B23B37B4EC for ; Sun, 25 Feb 2001 05:15:36 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA60074; Sun, 25 Feb 2001 14:15:33 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alexandr Kovalenko Cc: Alex Hayward , freebsd-stable@FreeBSD.ORG Subject: Re: Re[4]: ipfw drop syn+fin References: <15867369422.20010225143757@yahoo.com> <12068345205.20010225145413@yahoo.com> From: Dag-Erling Smorgrav Date: 25 Feb 2001 14:15:32 +0100 In-Reply-To: Alexandr Kovalenko's message of "Sun, 25 Feb 2001 14:54:13 +0200" Message-ID: Lines: 16 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Alexandr Kovalenko writes: > I'm running heavily loaded freemail/freeforum/freechat/free* > webserver, could it be the reason for adding TCP_DROP_SYNFIN? Can I be > target of these things? TCP_DROP_SYNFIN and TCP_RESTRICT_RST were developed specifically to prevent nmap from reporting useful information about machines that use them, and is probably only useful in the very peculiar world that EFNet IRC servers live in. TCP_RESTRICT_RST should probably be dyked out now that we have blackhole(4), and TCP_DROP_SYNFIN should be changed to rewrite packets instead of dropping them, and made non- optional. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message