Date: Fri, 23 Feb 2001 09:37:31 +1100 From: Mark.Andrews@nominum.com To: "Matthew Emmerton" <matt@gsicomp.on.ca> Cc: "Alexandr Kovalenko" <neve_ripe@yahoo.com>, freebsd-stable@freebsd.org Subject: Re: ipfw drop syn+fin Message-ID: <200102222237.f1MMbVh38760@drugs.dv.isc.org> In-Reply-To: Your message of "Thu, 22 Feb 2001 11:03:06 CDT." <004501c09ce8$f1cfd850$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. > This > > # prevents nmap et al. from identifying the TCP/IP stack, but breaks > support > > # for RFC1644 extensions and is not recommended for web servers. > > > > I'm wondering _why_ it is not recommended for web servers? > > I may not be 100% on this, but I'll give it a shot. > > One of the "features" of TCP is to bundle multiple commands in one > transmission. > > Say a web client has a few connections to a web server. One of those > connections is retriving an image (for example). When it's finished, it > will send a FIN to the server to close that connection. However, at the > same time, the web client wants to open a new connection to the same > machine, which requires a SYN to be sent. The smart TCP/IP stack on the web > client will set both the SYN and FIN bits in one packet, which means "close > this connection, and open a new one." No, it means open this connection with this data then start to close it as this is the only data I am going to send you. It saves a few round trip times. > > As you can see, not allowing this feature on a web server could result in > connections not being closed/open, and cause strange activity to occur on > the clients end and make it appear that the web server is flaky. > > -- > Matt Emmerton > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102222237.f1MMbVh38760>