Re: packets with syn/fin vs pf_norm.c

看板FB_security作者時間20年前 (2005/07/06 13:39), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串11/13 (看更多)
Jesper Wallin <jesper@hackunite.net> writes: > Also, I wonder why the TCP_DROP_SYNFIN option isn't checked in pf_norm.c? Because there's no reason for it to be. > Sure, it might be bad/good/whatever dropping packets with SYN/FIN, > but if you decide to do it and add the TCP_DROP_SYNFIN option, then > it should drop them even if you use pf, ipf or ipfw.. No. If you want to drop SYN+FIN frames that pass *through* you (as opposed to those sent *to* you), it's easy enough to add a firewall rule. The TCP_DROP_SYNFIN option should be removed; it has long outlived its original purpose (which was to prevent nmap identification of IRC servers which didn't run ipfw for performance reasons, back in the 3.0 days) DES --=20 Dag-Erling Sm=F8rgrav - des@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 des. 的文章
文章代碼(AID): #12oswh00 (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 11 之 13 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共13篇)
更多 des. 的文章
文章代碼(AID): #12oswh00 (FB_security)