From owner-freebsd-stable  Thu Feb 22  8:51:40 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10])
	by hub.freebsd.org (Postfix) with ESMTP id 8E4C537B65D
	for <freebsd-stable@freebsd.org>; Thu, 22 Feb 2001 08:51:36 -0800 (PST)
	(envelope-from tom@uniserve.com)
Received: from shell.uniserve.ca ([204.244.186.218])
	by mail2.uniserve.com with esmtp (Exim 3.13 #1)
	id 14Vyxr-000KrD-00; Thu, 22 Feb 2001 08:51:35 -0800
Date: Thu, 22 Feb 2001 08:51:33 -0800 (PST)
From: Tom <tom@uniserve.com>
X-Sender: tom@shell.uniserve.ca
To: Alexandr Kovalenko <neve_ripe@yahoo.com>
Cc: freebsd-stable@freebsd.org
Subject: Re: ipfw drop syn+fin
In-Reply-To: <4346812337.20010222115242@yahoo.com>
Message-ID: <Pine.BSF.4.05.10102220849460.28368-100000@shell.uniserve.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 22 Feb 2001, Alexandr Kovalenko wrote:

>      # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
>      # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
>      # for RFC1644 extensions and is not recommended for web servers.
> 
>      I'm wondering _why_ it is not recommended for web servers?

  Because RFC1644 extensions are valuable for web servers, and client
clients use them when making web requests.  So guess what happens when
your server drops requests using RFC1644 extensions?

Tom
Uniserve


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message