Using TCP_DROP_SYNFIN on DMZ firewall ?
jdroflet at canada.com
jdroflet at canada.com
Thu Sep 16 19:56:58 PDT 2004
If I use this setting on the DMZ firewall would it affect a web server
running in the DMZ behind the FW ? The web server IP/port would be
redirected into the DMZ by natd, or does this only break SYN+FIN if the
web server is running on the same box ?
As stated in LINT:
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN.
This
# prevents nmap et al. from identifying the TCP/IP stack, but breaks
support
# for RFC1644 extensions and is not recommended for web servers.
#
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
Thanks, Jon.
More information about the freebsd-questions
mailing list