From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 15 12:32:57 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0EA4516A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Jun 2004 12:32:57 +0000 (GMT)
Received: from out011.verizon.net (out011pub.verizon.net [206.46.170.135])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A504F43D54
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Jun 2004 12:32:56 +0000 (GMT)	(envelope-from cswiger@mac.com)
Received: from [192.168.1.3] ([68.161.84.3]) by out011.verizon.net
          (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
          id <20040615123255.RJFT18566.out011.verizon.net@[192.168.1.3]>;
          Tue, 15 Jun 2004 07:32:55 -0500
Message-ID: <40CEEC72.50409@mac.com>
Date: Tue, 15 Jun 2004 08:32:50 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7) Gecko/20040608
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: dave <dmehler26@woh.rr.com>
References: <000701c45284$98c478b0$0200a8c0@satellite>
In-Reply-To: <000701c45284$98c478b0$0200a8c0@satellite>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out011.verizon.net from
	[68.161.84.3] at Tue, 15 Jun 2004 07:32:55 -0500
cc: freebsd-questions@freebsd.org
Subject: Re: options tcp_drop_synfin and virtual hosts
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2004 12:32:57 -0000

dave wrote:
>     Is there a doc that says what the tcp_drop_synfin option does and what
> effect it has on webservers and why it should never be used on such?

The meaning of the SYN and FIN flags is discussed in RFC-793.

Normally, one goes through the 3WHS and exchanges some data before one side 
decides to close, but HTTP requests can fit within the first data packet so 
one might shortcut or streamline the process (or am I mixing concepts from 
T/TCP?).

Anyway, the effectiveness of the tcp_drop_synfin option is marginal compared 
to running a "real" firewall, even one on that host.

-- 
-Chuck