Date: Thu, 20 Jan 2000 21:21:36 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Brett Glass <brett@lariat.org> Cc: Alfred Perlstein <bright@wintelcom.net>, security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <200001210521.VAA56412@apollo.backplane.com> References: <4.2.2.20000120182425.01886ec0@localhost> <20000120195257.G14030@fw.wintelcom.net> <4.2.2.20000120220649.018faa80@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
:How about one of the "golden" releases along 3.X-STABLE? After all, those
:of us who are conservative will not be deploying 4.X in mission-critical
:applications until the 4.1 or 4.2 point release (depending on how well
:things go).
:
:I'd certainly like to see TCP_RESTRICT_RST on by default. Blocking RSTs
:is getting to be a standard feature. Our lab's Windows boxes run BlackIce
:Defender, which does this, and it makes them pretty resilient.
:
:And is there any reason NOT to turn on TCP_DROP_SYNFIN?
:
:--Brett
I think it's a bad idea to make anything that breaks the protocol
standard the default. I don't like the idea of always dropping (instead
of sending an RST) - it's much better to band-limit the rate to deal
with D.O.S. attacks and follow the protocol spec at all other times.
For the same reason I don't particularly like the idea of killing
SYN+FIN gratuitously. I couldn't care less whether nmap is able
to identify my machine or not, but I care greatly about protocol
breakage.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001210521.VAA56412>