[13070] in bugtraq
Re: Various Errors in Slackware
daemon@ATHENA.MIT.EDU (Alan Cox)
Thu Dec 23 12:40:47 1999
Content-Type: text
Message-Id: <E120rL0-0003pg-00@the-village.bc.nu>
Date: Wed, 22 Dec 1999 19:22:16 +0000
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: david+validemail@killerlabs.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9912212316350.2148-100000@Huntington-Beach.Blue-Labs.org> from "David Ford" at Dec 21,
99 11:34:41 pm
> I would check with Alan on the SYN cookies, iirc, there is a good reason why
> SYN cookies are not turned on by default. In 2.3.x it is not turned on by
> default in the kernel compile and again must be explicitly enabled in /proc
> after adding it to the kernel.
SYN cookies don't default to on purely because they are strictly not "the
standard". I don't actually know of anything they upset. In fact its
normally standards compliant stuff that causes problems
SACK - with buggy VJ compressors
PAWS - with broken load balancers
MTU discovery - with assholes who block all ICMP out and in (some
very big names in the business meet this criteria btw)
RST cookies were also in Linux 2.0, those did cause problems with some setups
and were dropped
> I imagine the packet forwarding is on by default in the interest of least
> surprise from slackware. I.e. why you can't pass packets across the machine
Least suprise until you accidentally have a router you didnt expect. The
RFC1122 rules are for a very good reason.
RP filter set to one should be fine, that will just ignore packets externally
originated from your own interface addresses. Such packets are generally sent
only by readers of this list and others like it .
Alan
