From owner-freebsd-security Tue May 29 14:10:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 3B8A237B422 for ; Tue, 29 May 2001 14:10:53 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id AAA31039 for ; Wed, 30 May 2001 00:10:51 +0300 (IDT) Message-ID: <012601c0e88c$3e6efb20$b88f39d5@a> From: "Liran Dahan" To: References: <010f01c0e888$5ab3c120$b88f39d5@a> <200105291052100670.246E525C@smtp> Subject: Re: Syn+Fin (Setup) And TCP RST Date: Wed, 30 May 2001 00:11:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, you right, i noticed it just now, i've changed the variable net.inet.tcp.restrict_rst to 1 and saw it took me ages till i got Connection timeout.. so what can be the problem.. why my firewall is not sending TCP RST when im doing ipfw add reset tcp from any to any ? -Liran Dahan- (lirandb@netvision.net.il) ----- Original Message ----- From: "Arthur W. Neilson III" To: "Liran Dahan" Sent: Tuesday, May 29, 2001 10:52 PM Subject: Re: Syn+Fin (Setup) And TCP RST > adding these options to your kernel config merely compiles in > the code to support these features. In order to actually turn them > on you have to set the variables in rc.conf to "YES" or turn them > on via sysctl(1) ... > > # For the following two options, you need to have > # TCP_DROP_SYNFIN and TCP_RESTRICT_RST > # set in your kernel. Please refer to LINT for details. > tcp_drop_synfin="NO" # Set to YES to drop TCP w/SYN+FIN > # NOTE: this violates the TCP specification > tcp_restrict_rst="NO" # Set to YES to restrict emission of RST > > On 5/29/01 at 11:43 PM Liran Dahan wrote: > > > >I've added those 2 options in my kernel long time ago: > >options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > >options TCP_RESTRICT_RST #restrict emission of TCP RST > > -- > __ > / ) _/_ It is a capital mistake to theorise before one has data. > /--/ __ / Insensibly one begins to twist facts to suit theories, > / (_/ (_<__ Instead of theories to suit facts. > -- Sherlock Holmes, "A Scandal in Bohemia" > Arthur W. Neilson III, WH7N - FISTS #7448 > Bank of Hawaii Tech Support > http://www.pilikia.net > art@pilikia.net, aneilson@boh.com, wh7n@arrl.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message