Mike Silbersack ([email protected]) wrote: > > On Fri, 23 Apr 2004, Don Lewis wrote: > > > > What type of packet was causing the Alteons to emit the RST? SYN, FIN, > > > normal data? > > > > > > Also, has Alteon fixed the problem or do their load balancers still > > > exhibit the behavior? > > > > The link I posted showed it was a FIN, and after the RST was sent (and > > ignored by the FreeBSD stack because of the strict sequence number > > check), the Alteon (or whatever it was) did not respond to the > > retransmissions of the FIN packet. > > > > Maybe we can get by with the strict check by default and add a sysctl to > > revert to the permissive check. > > I think Darren's suggestion would be a reasonable compromise; use the > strict check in the ESTABLISHED state, and the permissive check otherwise. > Established connections are what would be attacked, so we need the > security there, but the closing states are where oddities seem to pop up, > so we can use the permissive check there. > > If this is acceptable, I'd like to get it committed this weekend so that > we can still get it into 4.10. > sure, that sounds reasonable. The sysctl should be good for yahoo. thanks, jayanth _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"