Date: Tue, 8 Nov 2005 13:20:07 -0800 From: Lars Eggert <lars.eggert@netlab.nec.de> To: Mathieu CHATEAU <gollum123@free.fr> Cc: net@freebsd.org Subject: Re: TCP RST handling in 6.0 Message-ID: <304C5D45-BF2F-4648-AB36-92F10BF0D482@netlab.nec.de> In-Reply-To: <885717694.20051108205413@free.fr> References: <E019841F-389F-4B15-942E-F30F6745ECBF@netlab.nec.de> <885717694.20051108205413@free.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-14-706269573 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Nov 8, 2005, at 11:54, Mathieu CHATEAU wrote: > 1/it can be set back if needed It can be enabled, too, if needed. > 2/95% of users will get benefits against 5% that will disable it I'd love to see a source for those numbers. > 3/over the time, i am having above 70 lines in sysctl.conf to get > FreeBSD secured and the network strong and fast. It's a policy decision whether FreeBSD out-of-the box should be heavily optimized and non-standards-conformant, or be conservatively configured. I'd argue for the latter. > 4/the 5% unlucky people knows they must take care of it (so they will > find about this parameter easily as you done it) I doubt that very many people that have "hanging" connections that do not abort will be able to trace this back to this sysctl setting. On the flipside, people concerned about the attack have likely also read about mitigation mechanisms such as this one, and are able to judge the risks of enabling it. Lars -- Lars Eggert NEC Network Laboratories --Apple-Mail-14-706269573--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?304C5D45-BF2F-4648-AB36-92F10BF0D482>