Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Feb 2001 09:37:31 +1100
From:      Mark.Andrews@nominum.com
To:        "Matthew Emmerton" <matt@gsicomp.on.ca>
Cc:        "Alexandr Kovalenko" <neve_ripe@yahoo.com>, freebsd-stable@freebsd.org
Subject:   Re: ipfw drop syn+fin 
Message-ID:  <200102222237.f1MMbVh38760@drugs.dv.isc.org>
In-Reply-To: Your message of "Thu, 22 Feb 2001 11:03:06 CDT." <004501c09ce8$f1cfd850$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

> >      # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN.
> This
> >      # prevents nmap et al. from identifying the TCP/IP stack, but breaks
> support
> >      # for RFC1644 extensions and is not recommended for web servers.
> >
> >      I'm wondering _why_ it is not recommended for web servers?
> 
> I may not be 100% on this, but I'll give it a shot.
> 
> One of the "features" of TCP is to bundle multiple commands in one
> transmission.
> 
> Say a web client has a few connections to a web server.  One of those
> connections is retriving an image (for example).  When it's finished, it
> will send a FIN to the server to close that connection.  However, at the
> same time, the web client wants to open a new connection to the same
> machine, which requires a SYN to be sent.  The smart TCP/IP stack on the web
> client will set both the SYN and FIN bits in one packet, which means "close
> this connection, and open a new one."


	No, it means open this connection with this data then start to
	close it as this is the only data I am going to send you.  It
	saves a few round trip times.

> 
> As you can see, not allowing this feature on a web server could result in
> connections not being closed/open, and cause strange activity to occur on
> the clients end and make it appear that the web server is flaky.
> 
> --
> Matt Emmerton
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@nominum.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102222237.f1MMbVh38760>