 espaethDigital PlumberPremium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2
 ·Clear Wireless
| reply to Ikyuao
Re: Thanks for your desicion, but... If you block incoming TCP RST packets there are only 2 ways for a TCP session to close: a valid FIN/FIN-ACK sequence, or the session has to time out.
A common place where TCP RSTs are used is in applications that reside behind a load balancer. Say you go to a website that is balanced across a pool of servers, usually your session will have a sticky association to just one of the servers. If that back-end server you are associated with goes down, the load balancer handles that by resetting the TCP session and redirecting you to another server once you establish a new TCP connection.
If you block the incoming TCP reset your browser will still assume the connection is valid and that website will appear to be down until the TCP session eventually times out and you attempt to establish a new session.
This is just one case of many where TCP RSTs serve a valid function. |
|
 Ikyuao
join:2007-02-26
Wichita, KS
 ·Cox HSI
| said by espaeth:If you block incoming TCP RST packets there are only 2 ways for a TCP session to close: a valid FIN/FIN-ACK sequence, or the session has to time out. That is exactly that I leaves only FIN and FIN/ACK sequence are allowed in the both directions of traffics.
--
Professional Linux environmental blows microsoft windows out of the water. |
|
espaethDigital PlumberPremium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2 Reviews:
·Clear Wireless
| said by Ikyuao:That is exactly that I leaves only FIN and FIN/ACK sequence are allowed in the both directions of traffics. So you are operating your system in a way that contradicts the operation of TCP as described in RFC 793.
Eventually that is going to bite you. Standards are funny that way. |
|
Ikyuao
join:2007-02-26
Wichita, KS Reviews:
·Cox HSI
| that is not gonna be happen to bite me at all so not either happening to the applications and applications of functions are fine and there is nothing wrong with applications in matters that i have no issues with applications, TCP RST is not used by the applications unless if there is no response of connection over TCP so user application browser may have to click on "reload" tab to send the TCP RST to the host server to disconnect the virtual circuit of TCP of server side but server side really can send out the TCP RST if there is connection problems but that isn't going to work that due the client side of iptables firewall swallows TCP RST packet in the hole till user have to do manually click reload tab button of browser to send out the TCP RST packet to server side to cut connection out.
--
Professional Linux environmental blows microsoft windows out of the water. |
|
