Using TCP_DROP_SYNFIN on DMZ firewall ?

jdroflet at jdroflet at
Thu Sep 16 19:56:58 PDT 2004

If I use this setting on the DMZ firewall would it affect a web server
running in the DMZ behind the FW ? The web server IP/port would be
redirected into the DMZ by natd,  or does this only break SYN+FIN if the
web server is running on the same box ?

As stated in LINT:
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN.
# prevents nmap et al. from identifying the TCP/IP stack, but breaks
# for RFC1644 extensions and is not recommended for web servers.
options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN

Thanks, Jon.

More information about the freebsd-questions mailing list