From owner-freebsd-questions@FreeBSD.ORG Mon Apr 26 04:04:09 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E540316A4CE for ; Mon, 26 Apr 2004 04:04:09 -0700 (PDT) Received: from pp6.dundee.ac.uk (pp6.dundee.ac.uk [134.36.2.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5472643D67 for ; Mon, 26 Apr 2004 04:04:09 -0700 (PDT) (envelope-from ganderson@dusa.co.uk) Received: from [134.36.8.10] (helo=mailhost) by pp6.dundee.ac.uk with esmtp (Exim 4.30) id 1BI3uA-0001UP-SC for freebsd-questions@freebsd.org; Mon, 26 Apr 2004 12:04:06 +0100 Received: from 134.36.8.20 by mailhost ([134.36.8.10] running VPOP3) with ESMTP for ; Mon, 26 Apr 2004 12:04:19 +0100 From: "Graham Anderson" To: Date: Mon, 26 Apr 2004 12:02:30 +0100 Message-ID: <00a201c42b7d$f7f85550$14082486@EINSTEIN> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Server: VPOP3 V1.5.0g - Registered X-UoD-Spam-Score: -4.9 (----) X-UoD-Spam-Report: -------------------------------------------------- This message has been scanned by a SpamAssassin installation on the spam checking server caroltoo at the University of Dundee. Content analysis details: (-4.9 hits, 5.0 required) -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] X-UoD-Scan-Signature: a45049502b8896e2a746078818c324ab Subject: SYN scans and ipfw/kernel options X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 11:04:10 -0000 I'm looking for advice on some options to help against SYN and other = stealth scans. Ive compiled my kernel with TCP_DROP_SYNFIN option but have read that enabling this with tcp_drop_synfin=3DYES in rc.conf may not be the best = thing to do if I want to use httpd. What are the problems with using tcp_drop_synfin=3DYES on a web server? Will it break anything or is this simply non RFC compliant? Also does this simply drop packets with both SIN+FIN or either of them? Also trying to config a kernel with TCP_RESTRICT_RST fails as an unknown option. Like ICMP_BANDLIM Is this enabled by default on CURRENT? If I shouldn't use tcp_drop_synfin=3DYES in rc.conf on a web server what = rule would be suitable for dropping SYN packets in my ipfw ruleset? Cheers Graham ---------------------- Graham Anderson Dundee University Students Association DUSA Airlie Place Dundee DD1 4HP 01382 223084 ---------------------- =20 This e-mail and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are = addressed. If you are not the intended recipient, the e-mail and any files have = been transmitted to you in error and any copying, distribution or other use = of the information contained in them is strictly prohibited. If you have received this e-mail in error, please advise us immediately. =20 Nothing in this e-mail message amounts to a contractual or other legal commitment on the part of DUSA unless confirmed by a communication = signed on behalf of DUSA by an authorised signatory. Please note that it is a disciplinary offence for any employee or representative of DUSA to = download any offensive, lewd, racist, libidinous or immoral material.