From owner-freebsd-stable Thu Feb 22 14:38:35 2001 Delivered-To: freebsd-stable@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 87B3B37B491 for ; Thu, 22 Feb 2001 14:38:30 -0800 (PST) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f1MMbVh38760; Fri, 23 Feb 2001 09:37:36 +1100 (EST) (envelope-from marka@nominum.com) Message-Id: <200102222237.f1MMbVh38760@drugs.dv.isc.org> To: "Matthew Emmerton" Cc: "Alexandr Kovalenko" , freebsd-stable@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: ipfw drop syn+fin In-reply-to: Your message of "Thu, 22 Feb 2001 11:03:06 CDT." <004501c09ce8$f1cfd850$1200a8c0@gsicomp.on.ca> Date: Fri, 23 Feb 2001 09:37:31 +1100 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. > This > > # prevents nmap et al. from identifying the TCP/IP stack, but breaks > support > > # for RFC1644 extensions and is not recommended for web servers. > > > > I'm wondering _why_ it is not recommended for web servers? > > I may not be 100% on this, but I'll give it a shot. > > One of the "features" of TCP is to bundle multiple commands in one > transmission. > > Say a web client has a few connections to a web server. One of those > connections is retriving an image (for example). When it's finished, it > will send a FIN to the server to close that connection. However, at the > same time, the web client wants to open a new connection to the same > machine, which requires a SYN to be sent. The smart TCP/IP stack on the web > client will set both the SYN and FIN bits in one packet, which means "close > this connection, and open a new one." No, it means open this connection with this data then start to close it as this is the only data I am going to send you. It saves a few round trip times. > > As you can see, not allowing this feature on a web server could result in > connections not being closed/open, and cause strange activity to occur on > the clients end and make it appear that the web server is flaky. > > -- > Matt Emmerton > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message