From owner-freebsd-security Fri Jan 21 21:36:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 883CA14CC4 for ; Fri, 21 Jan 2000 21:35:57 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id GAA33209; Sat, 22 Jan 2000 06:35:44 +0100 (CET) (envelope-from des@flood.ping.uio.no) To: Matthew Dillon Cc: Keith Stevenson , freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c References: <4.2.2.20000120194543.019a8d50@localhost> <20000121162757.A7080@osaka.louisville.edu> <200001220245.SAA66403@apollo.backplane.com> From: Dag-Erling Smorgrav Date: 22 Jan 2000 06:35:43 +0100 In-Reply-To: Matthew Dillon's message of "Fri, 21 Jan 2000 18:45:07 -0800 (PST)" Message-ID: Lines: 17 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon writes: > Second, you purport that TCP_RESTRICT_RST is a better solution. > I'll tell you something about TCP_RESTRICT_RST: It's garbage. It should > never have been committed into the tree. It takes out *EVERY* single > goddamn RST response in the entire TCP input chain, even the ones that > couldn't possibly be related to an attack. It does it *all the time*, > whether the machine is under attack or not. 1) don't teach me how TCP_RESTRICT_RST works. I wrote it. 2) it's not meant for protecting against attacks. You can figure the rest out for yourself. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message