On Thu, 22 Feb 2001, Tom wrote:
> On Thu, 22 Feb 2001, Alexandr Kovalenko wrote:
>
> > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
> > # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
> > # for RFC1644 extensions and is not recommended for web servers.
> >
> > I'm wondering _why_ it is not recommended for web servers?
>
> Because RFC1644 extensions are valuable for web servers, and client
> clients use them when making web requests. So guess what happens when
> your server drops requests using RFC1644 extensions?
Since what it does is cut the connection open/close time (well, it
shortens the TIME_WAIT time, too, but I doubt that's so important...) from
7 packets to 3 it's not quite so important in these days of persistent
HTTP connections. Oh, and it can't be used for the first connection a
client makes since the server needs to cache a connection count from each
client which is passed in a TCP option. Both server and client need to be
written in a particular way to take advantage of it, too.
Oh, and nothing that I've found supports it apart from FreeBSD; which has
it turned off by default. I'd be interested to know if anyone knows any
different...
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message