Date: Thu, 22 Feb 2001 23:58:35 -0500 From: "Louis A. Mamakos" <louie@TransSys.COM> To: "Matthew Emmerton" <matt@gsicomp.on.ca> Cc: "Alexandr Kovalenko" <neve_ripe@yahoo.com>, freebsd-stable@FreeBSD.ORG Subject: Re: ipfw drop syn+fin Message-ID: <200102230458.f1N4wZD72398@whizzo.transsys.com> In-Reply-To: Your message of "Thu, 22 Feb 2001 11:03:06 EST." <004501c09ce8$f1cfd850$1200a8c0@gsicomp.on.ca> References: <4346812337.20010222115242@yahoo.com> <004501c09ce8$f1cfd850$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. > This > > # prevents nmap et al. from identifying the TCP/IP stack, but breaks > support > > # for RFC1644 extensions and is not recommended for web servers. > > > > I'm wondering _why_ it is not recommended for web servers? > > I may not be 100% on this, but I'll give it a shot. > > One of the "features" of TCP is to bundle multiple commands in one > transmission. > > Say a web client has a few connections to a web server. One of those > connections is retriving an image (for example). When it's finished, it > will send a FIN to the server to close that connection. However, at the > same time, the web client wants to open a new connection to the same > machine, which requires a SYN to be sent. The smart TCP/IP stack on the web > client will set both the SYN and FIN bits in one packet, which means "close > this connection, and open a new one." No, that's not what it means at all. What a TCP segment with both a SYN and a FIN flag set means is that you're opening a new connection, you have a small amount of data to send (which fits into the same segment), and that you have no other data to send. This means that the remote TCP stack can return one ACK segment for the FIN (which also acks the SYN and the data), rather than requiring a seperate handshake to ACK the syn, some data, and the FIN if they were all not to arrive at the same time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102230458.f1N4wZD72398>