I think when a lot of newbies read the pf manual, they think oh... synproxy looks like it does good things, and without really understanding it, enable it by default?
On Tue, Oct 02, 2012 at 02:33:11PM +0200, Henning Brauer wrote: > * David Diggles <da...@elven.com.au> [2012-10-02 13:51]: > > but is this clear for newbies who read all the faqs? > > > On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: > > > it once again comes down to "think before pushing random buttons". > > this basic principle SHOULD not need documentation :) > > quite seriously, this goes deep into the workings of tcp. OpenBSD > documentation cannot and does not document the details of the > implemented protocols. There are entire books about tcp. Read them to > understand tcp, and read the OpenBSD documentation for the OpenBSD > specific bits. > > There isn't much we can do to prevent people from pushing buttons they > don't understand but not providing them - which is what we do where > possible. But by not providing synproxy we'd steal an important tool > for fighting attacks from those who understand what they're doing. > > We're not saving you from stabbing your eye with the spoon left in > your coffee mug either. We can't. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/
