packets with syn/fin vs pf_norm.c
Dag-Erling Smørgrav
des at des.no
Wed Jul 6 05:39:19 GMT 2005
Jesper Wallin <jesper at hackunite.net> writes:
> Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c?
Because there's no reason for it to be.
> Sure, it might be bad/good/whatever dropping packets with SYN/FIN,
> but if you decide to do it and add the TCP_DROP_SYNFIN option, then
> it should drop them even if you use pf, ipf or ipfw..
No. If you want to drop SYN+FIN frames that pass *through* you (as
opposed to those sent *to* you), it's easy enough to add a firewall
rule.
The TCP_DROP_SYNFIN option should be removed; it has long outlived its
original purpose (which was to prevent nmap identification of IRC
servers which didn't run ipfw for performance reasons, back in the 3.0
days)
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list