I would vote no based on:
http://www.openbsd.org/faq/pf/example1.html
"For an added bit of safety, we'll make use of the TCP SYN Proxy to
further protect the web server."
which links to: http://www.openbsd.org/faq/pf/filter.html#synproxy
which gets far from saying what Henning said.
On 10/2/2012 6:30 AM, David Diggles wrote:
I think when a lot of newbies read the pf manual, they think oh...
synproxy looks like it does good things, and without really
understanding it, enable it by default?
On Tue, Oct 02, 2012 at 02:33:11PM +0200, Henning Brauer wrote:
* David Diggles <da...@elven.com.au> [2012-10-02 13:51]:
but is this clear for newbies who read all the faqs?
On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote:
it once again comes down to "think before pushing random buttons".
this basic principle SHOULD not need documentation :)
quite seriously, this goes deep into the workings of tcp. OpenBSD
documentation cannot and does not document the details of the
implemented protocols. There are entire books about tcp. Read them to
understand tcp, and read the OpenBSD documentation for the OpenBSD
specific bits.
There isn't much we can do to prevent people from pushing buttons they
don't understand but not providing them - which is what we do where
possible. But by not providing synproxy we'd steal an important tool
for fighting attacks from those who understand what they're doing.
We're not saving you from stabbing your eye with the spoon left in
your coffee mug either. We can't.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
--
Tyler Morgan
Systems Administrator
Trade Tech Inc.
tyl...@tradetech.net
office: 425-837-9000 (ext. 1022)
cell/sms: 206-310-8340
fax: 425-837-9008
