hello, to start with, i don't want to raise a troll...
argue to keep it set: 1/it can be set back if needed 2/95% of users will get benefits against 5% that will disable it 3/over the time, i am having above 70 lines in sysctl.conf to get FreeBSD secured and the network strong and fast. 4/the 5% unlucky people knows they must take care of it (so they will find about this parameter easily as you done it) Maybe we can just set a warning during install (asking what to do) ? cheers, Mathieu CHATEAU Tuesday, November 8, 2005, 8:02:25 PM, you wrote: LE> Hi, LE> I came across the following in the release notes of 6.0 recently: LE> "The RST handling of the FreeBSD TCP stack has been improved to make LE> reset attacks as difficult as possible while maintaining LE> compatibility with the widest range of TCP stacks. (...) Note that LE> this behavior technically violates the RFC 793 specification; the LE> conventional (but less secure) behavior can be restored by setting a LE> new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]" LE> This means that the default, unconfigured FreeBSD TCP implementation LE> is no longer RFC-conformant, which has always been one of its LE> advantages over competing systems. Although I agree that the LE> modification can be useful in some specific setups, making it the LE> default at this time appears hasty. The IETF's tcpm working group is LE> evaluating mechanisms for RST processing, and one will likely move to LE> standards track in the future. LE> Thus, I'd like to suggest that the default for LE> net.inet.tcp.insecure_rst be zero for now. AFAIK, any other TCP mod LE> came disabled be default in the past, too. LE> Lars LE> -- LE> Lars Eggert NEC Network Laboratories _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
