options tcp_drop_synfin and virtual hosts
Chuck Swiger
cswiger at mac.com
Tue Jun 15 05:32:57 PDT 2004
dave wrote:
> Is there a doc that says what the tcp_drop_synfin option does and what
> effect it has on webservers and why it should never be used on such?
The meaning of the SYN and FIN flags is discussed in RFC-793.
Normally, one goes through the 3WHS and exchanges some data before one side
decides to close, but HTTP requests can fit within the first data packet so
one might shortcut or streamline the process (or am I mixing concepts from
T/TCP?).
Anyway, the effectiveness of the tcp_drop_synfin option is marginal compared
to running a "real" firewall, even one on that host.
--
-Chuck
More information about the freebsd-questions
mailing list