Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Feb 2001 10:39:00 +0000
From:      simond@irrelevant.org
To:        Alex Hayward <xelah@xelah.com>
Cc:        freebsd-stable@FreeBSD.ORG
Subject:   Re: ipfw drop syn+fin
Message-ID:  <20010223103859.D37155@irrelevant.org>
In-Reply-To: <Pine.LNX.4.10.10102231024230.15158-100000@sphinx.mythic-beasts.com>; from xelah@xelah.com on Fri, Feb 23, 2001 at 10:34:57AM %2B0000
References:  <Pine.BSF.4.05.10102220849460.28368-100000@shell.uniserve.ca> <Pine.LNX.4.10.10102231024230.15158-100000@sphinx.mythic-beasts.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Feb 23, 2001 at 10:34:57AM +0000, Alex Hayward wrote:
> On Thu, 22 Feb 2001, Tom wrote:
> 
> > On Thu, 22 Feb 2001, Alexandr Kovalenko wrote:
> > 
> > >      # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
> > >      # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
> > >      # for RFC1644 extensions and is not recommended for web servers.
> > > 
> > >      I'm wondering _why_ it is not recommended for web servers?
> > 
> >   Because RFC1644 extensions are valuable for web servers, and client
> > clients use them when making web requests.  So guess what happens when
> > your server drops requests using RFC1644 extensions?
> 
> Since what it does is cut the connection open/close time (well, it
> shortens the TIME_WAIT time, too, but I doubt that's so important...) from
> 7 packets to 3 it's not quite so important in these days of persistent
> HTTP connections. Oh, and it can't be used for the first connection a
> client makes since the server needs to cache a connection count from each
> client which is passed in a TCP option. Both server and client need to be
> written in a particular way to take advantage of it, too.
> 
> Oh, and nothing that I've found supports it apart from FreeBSD; which has
> it turned off by default. I'd be interested to know if anyone knows any
> different...

I know this isn't really a major platform, but the Miami TCP stack on the
Amiga supports it, along with at least one of the browsers which runs on
the Amiga :)

-- 
Simon Dick					simond@irrelevant.org
"Why do I get this urge to go bowling everytime I see Tux?"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010223103859.D37155>