Date: Thu, 22 Feb 2001 11:52:42 +0300 From: Alexandr Kovalenko <neve_ripe@yahoo.com> To: freebsd-stable@freebsd.org Subject: ipfw drop syn+fin Message-ID: <4346812337.20010222115242@yahoo.com>
next in thread | raw e-mail | index | archive | help
Dear Sirs,
I'm trying to protect my server from syn+fin portscans, so I
decided to add rule
deny tcp from any to any in recv fxp0 tcpflags syn+fin
(I cannot recompile and reboot my machine for now, so I cannot
add "options TCP_DROP_SYNFIN" into my kernel, so I'm using ipfw.)
I've noticed that there is a hint in LINT about this:
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
# for RFC1644 extensions and is not recommended for web servers.
I'm wondering _why_ it is not recommended for web servers?
Thank you for your answer!
--
Best regards,
Alexandr mailto:neve_ripe@yahoo.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4346812337.20010222115242>