TCP RST handling in 6.0
Lars Eggert
lars.eggert at netlab.nec.de
Tue Nov 8 13:32:16 PST 2005
On Nov 8, 2005, at 11:54, Mathieu CHATEAU wrote:
> 1/it can be set back if needed
It can be enabled, too, if needed.
> 2/95% of users will get benefits against 5% that will disable it
I'd love to see a source for those numbers.
> 3/over the time, i am having above 70 lines in sysctl.conf to get
> FreeBSD secured and the network strong and fast.
It's a policy decision whether FreeBSD out-of-the box should be
heavily optimized and non-standards-conformant, or be conservatively
configured. I'd argue for the latter.
> 4/the 5% unlucky people knows they must take care of it (so they will
> find about this parameter easily as you done it)
I doubt that very many people that have "hanging" connections that do
not abort will be able to trace this back to this sysctl setting. On
the flipside, people concerned about the attack have likely also read
about mitigation mechanisms such as this one, and are able to judge
the risks of enabling it.
Lars
--
Lars Eggert NEC Network Laboratories
More information about the freebsd-net
mailing list