From owner-freebsd-stable  Fri Feb 23  2:35:10 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from sphinx.mythic-beasts.com (sphinx.mythic-beasts.com [195.82.107.246])
	by hub.freebsd.org (Postfix) with ESMTP id 5425D37B503
	for <freebsd-stable@freebsd.org>; Fri, 23 Feb 2001 02:35:04 -0800 (PST)
	(envelope-from xelah@sphinx.mythic-beasts.com)
Received: from xelah (helo=localhost)
	by sphinx.mythic-beasts.com with local-esmtp (Exim 3.13 #8)
	id 14WFYv-00041v-00
	for freebsd-stable@freebsd.org; Fri, 23 Feb 2001 10:34:57 +0000
Date: Fri, 23 Feb 2001 10:34:57 +0000 (GMT)
From: Alex Hayward <xelah@xelah.com>
X-Sender: xelah@sphinx.mythic-beasts.com
To: freebsd-stable@freebsd.org
Subject: Re: ipfw drop syn+fin
In-Reply-To: <Pine.BSF.4.05.10102220849460.28368-100000@shell.uniserve.ca>
Message-ID: <Pine.LNX.4.10.10102231024230.15158-100000@sphinx.mythic-beasts.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 22 Feb 2001, Tom wrote:

> On Thu, 22 Feb 2001, Alexandr Kovalenko wrote:
> 
> >      # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
> >      # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
> >      # for RFC1644 extensions and is not recommended for web servers.
> > 
> >      I'm wondering _why_ it is not recommended for web servers?
> 
>   Because RFC1644 extensions are valuable for web servers, and client
> clients use them when making web requests.  So guess what happens when
> your server drops requests using RFC1644 extensions?

Since what it does is cut the connection open/close time (well, it
shortens the TIME_WAIT time, too, but I doubt that's so important...) from
7 packets to 3 it's not quite so important in these days of persistent
HTTP connections. Oh, and it can't be used for the first connection a
client makes since the server needs to cache a connection count from each
client which is passed in a TCP option. Both server and client need to be
written in a particular way to take advantage of it, too.

Oh, and nothing that I've found supports it apart from FreeBSD; which has
it turned off by default. I'd be interested to know if anyone knows any
different...


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message