On Fri, 23 Apr 2004, jayanth wrote: > > I think Darren's suggestion would be a reasonable compromise; use the > > strict check in the ESTABLISHED state, and the permissive check otherwise. > > Established connections are what would be attacked, so we need the > > security there, but the closing states are where oddities seem to pop up, > > so we can use the permissive check there. > > > > If this is acceptable, I'd like to get it committed this weekend so that > > we can still get it into 4.10. > > > > sure, that sounds reasonable. The sysctl should be good for yahoo. > > thanks, > jayanth There wouldn't be a sysctl, as you wouldn't need one, if I understand things correctly. Since the "bad" RST is in response to the FreeBSD box sending a FIN, the FreeBSD box would have already transitioned to FIN_WAIT_1, and would accept the "bad" RST, as it would only be subject to the check we're using at present. Mike "Silby" Silbersack _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"