From owner-freebsd-stable  Fri Feb 23  2:39:12 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from bumper.jellybaby.net (bumper.jellybaby.net [194.159.247.1])
	by hub.freebsd.org (Postfix) with ESMTP id BC42337B491
	for <freebsd-stable@FreeBSD.ORG>; Fri, 23 Feb 2001 02:39:09 -0800 (PST)
	(envelope-from simond@bumper.jellybaby.net)
Received: (from simond@localhost)
	by bumper.jellybaby.net (8.9.2/8.9.2) id KAA39941;
	Fri, 23 Feb 2001 10:39:00 GMT
	(envelope-from simond)
Date: Fri, 23 Feb 2001 10:39:00 +0000
From: simond@irrelevant.org
To: Alex Hayward <xelah@xelah.com>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: ipfw drop syn+fin
Message-ID: <20010223103859.D37155@irrelevant.org>
References: <Pine.BSF.4.05.10102220849460.28368-100000@shell.uniserve.ca> <Pine.LNX.4.10.10102231024230.15158-100000@sphinx.mythic-beasts.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <Pine.LNX.4.10.10102231024230.15158-100000@sphinx.mythic-beasts.com>; from xelah@xelah.com on Fri, Feb 23, 2001 at 10:34:57AM +0000
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Feb 23, 2001 at 10:34:57AM +0000, Alex Hayward wrote:
> On Thu, 22 Feb 2001, Tom wrote:
> 
> > On Thu, 22 Feb 2001, Alexandr Kovalenko wrote:
> > 
> > >      # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
> > >      # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
> > >      # for RFC1644 extensions and is not recommended for web servers.
> > > 
> > >      I'm wondering _why_ it is not recommended for web servers?
> > 
> >   Because RFC1644 extensions are valuable for web servers, and client
> > clients use them when making web requests.  So guess what happens when
> > your server drops requests using RFC1644 extensions?
> 
> Since what it does is cut the connection open/close time (well, it
> shortens the TIME_WAIT time, too, but I doubt that's so important...) from
> 7 packets to 3 it's not quite so important in these days of persistent
> HTTP connections. Oh, and it can't be used for the first connection a
> client makes since the server needs to cache a connection count from each
> client which is passed in a TCP option. Both server and client need to be
> written in a particular way to take advantage of it, too.
> 
> Oh, and nothing that I've found supports it apart from FreeBSD; which has
> it turned off by default. I'd be interested to know if anyone knows any
> different...

I know this isn't really a major platform, but the Miami TCP stack on the
Amiga supports it, along with at least one of the browsers which runs on
the Amiga :)

-- 
Simon Dick					simond@irrelevant.org
"Why do I get this urge to go bowling everytime I see Tux?"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message