From owner-freebsd-stable Thu Feb 22 8: 4: 3 2001 Delivered-To: freebsd-stable@freebsd.org Received: from xena.gsicomp.on.ca (cr677933-a.ktchnr1.on.wave.home.com [24.43.230.149]) by hub.freebsd.org (Postfix) with ESMTP id 204E237B65D for ; Thu, 22 Feb 2001 08:04:00 -0800 (PST) (envelope-from matt@gsicomp.on.ca) Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.1/8.9.3) with SMTP id f1MG2Ci97621; Thu, 22 Feb 2001 11:02:13 -0500 (EST) (envelope-from matt@gsicomp.on.ca) Message-ID: <004501c09ce8$f1cfd850$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Alexandr Kovalenko" Cc: References: <4346812337.20010222115242@yahoo.com> Subject: Re: ipfw drop syn+fin Date: Thu, 22 Feb 2001 11:03:06 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This > # prevents nmap et al. from identifying the TCP/IP stack, but breaks support > # for RFC1644 extensions and is not recommended for web servers. > > I'm wondering _why_ it is not recommended for web servers? I may not be 100% on this, but I'll give it a shot. One of the "features" of TCP is to bundle multiple commands in one transmission. Say a web client has a few connections to a web server. One of those connections is retriving an image (for example). When it's finished, it will send a FIN to the server to close that connection. However, at the same time, the web client wants to open a new connection to the same machine, which requires a SYN to be sent. The smart TCP/IP stack on the web client will set both the SYN and FIN bits in one packet, which means "close this connection, and open a new one." As you can see, not allowing this feature on a web server could result in connections not being closed/open, and cause strange activity to occur on the clients end and make it appear that the web server is flaky. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message