Date: Thu, 22 Feb 2001 11:03:06 -0500 From: "Matthew Emmerton" <matt@gsicomp.on.ca> To: "Alexandr Kovalenko" <neve_ripe@yahoo.com> Cc: <freebsd-stable@freebsd.org> Subject: Re: ipfw drop syn+fin Message-ID: <004501c09ce8$f1cfd850$1200a8c0@gsicomp.on.ca> References: <4346812337.20010222115242@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This > # prevents nmap et al. from identifying the TCP/IP stack, but breaks support > # for RFC1644 extensions and is not recommended for web servers. > > I'm wondering _why_ it is not recommended for web servers? I may not be 100% on this, but I'll give it a shot. One of the "features" of TCP is to bundle multiple commands in one transmission. Say a web client has a few connections to a web server. One of those connections is retriving an image (for example). When it's finished, it will send a FIN to the server to close that connection. However, at the same time, the web client wants to open a new connection to the same machine, which requires a SYN to be sent. The smart TCP/IP stack on the web client will set both the SYN and FIN bits in one packet, which means "close this connection, and open a new one." As you can see, not allowing this feature on a web server could result in connections not being closed/open, and cause strange activity to occur on the clients end and make it appear that the web server is flaky. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004501c09ce8$f1cfd850$1200a8c0>