Date: Wed, 6 Jul 2005 13:56:38 +1000 (Australia/ACT) From: Darren Reed <avalon@caligula.anu.edu.au> To: rcoleman@criticalmagic.com (Richard Coleman) Cc: freebsd-security@freebsd.org, Garrett Wollman <wollman@csail.mit.edu>, Jesper Wallin <jesper@www.hackunite.net>, Darren Reed <avalon@caligula.anu.edu.au>, =?ISO-8859-1?Q?Dag-Erling_?= =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no> Subject: Re: packets with syn/fin vs pf_norm.c Message-ID: <200507060356.j663ucHE011742@caligula.anu.edu.au> In-Reply-To: <42CAA33D.9080505@criticalmagic.com> from "Richard Coleman" at Jul 05, 2005 11:11:57 AM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Richard Coleman, sie said: > 1. I thought that T/TCP was being removed from FreeBSD (already happened?). > 2. It's trivial to predict Theo's response to this. > 3. Since T/TCP is rare, there is little motivation to alter scrub to > function differently than OpenBSD with respect to these packets. If > someone really needs this, there are plenty of alternatives. I didn't know about (1) but I'd agree with (2) and (3). > But more importantly, the original question has been lost. The original > question was what should the various firewalls do when the kernel has > been compiled with TCP_DROP_SYNFIN. Regardless of whether those packets > are valid or not, a person may have reason to compile this feature into > the kernel. So, should the firewalls acts differently if this kernel > option is used? IMHO, No. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507060356.j663ucHE011742>