packets with syn/fin vs pf_norm.c
Darren Reed
avalon at caligula.anu.edu.au
Wed Jul 6 03:56:56 GMT 2005
In some mail from Richard Coleman, sie said:
> 1. I thought that T/TCP was being removed from FreeBSD (already happened?).
> 2. It's trivial to predict Theo's response to this.
> 3. Since T/TCP is rare, there is little motivation to alter scrub to
> function differently than OpenBSD with respect to these packets. If
> someone really needs this, there are plenty of alternatives.
I didn't know about (1) but I'd agree with (2) and (3).
> But more importantly, the original question has been lost. The original
> question was what should the various firewalls do when the kernel has
> been compiled with TCP_DROP_SYNFIN. Regardless of whether those packets
> are valid or not, a person may have reason to compile this feature into
> the kernel. So, should the firewalls acts differently if this kernel
> option is used?
IMHO, No.
Darren
More information about the freebsd-security
mailing list