Date: 26 Jul 1999 22:23:41 +0200 From: Dag-Erling Smorgrav <des@yes.no> To: net@freebsd.org Subject: TCP/IP hardening Message-ID: <xzpn1wjb1o2.fsf@des.follo.net>
next in thread | raw e-mail | index | archive | help
Attached are patches which implement four new sysctl variables:
* net.inet.icmp.dropredirect: if set to 1, ignore ICMP REDIRECT
packets.
* net.inet.icmp.logredirect: if set to 1, log all ICMP REDIRECT
packets (before optionally dropping them).
* net.inet.tcp.restrict_rst: if set to 1, do not emit TCP RST
packets. Conditional on the TCP_RESTRICT_RST kernel option, which
defaults to off.
* net.inet.tcp.drop_synfin: if set to 1, drop TCP packets with both
the SYN and FIN options set. Conditional on the TCP_DROP_SYNFIN
kernel option, which defaults to off.
The logredirect code uses inet_ntoa, which is a bad idea. I'm open to
suggestions for a better solution.
Also, these sysctl variables should be described in a man page
somewhere, but I'm not sure which one.
These patches compile, but are not fully tested.
DES
--
Dag-Erling Smorgrav - des@yes.no
Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.23
diff -u -r1.23 rc.conf
--- rc.conf 1999/07/26 10:49:33 1.23
+++ rc.conf 1999/07/26 19:11:51
@@ -48,6 +48,11 @@
tcp_extensions="NO" # Set to Yes to turn on RFC1323 extensions.
log_in_vain="NO" # Disallow bad connection logging (or YES).
tcp_keepalive="YES" # Kill dead TCP connections (or NO).
+tcp_restrict_rst="NO" # Set to YES to restrict emission of RST
+tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN
+ # NOTE: this breaks rfc1644 extensions (T/TCP)
+icmp_dropredirect="NO" # Set to YES to ignore ICMP REDIRECT packets
+icmp_logredirect="NO" # Set to YES to log ICMP REDIRECT packets
network_interfaces="auto" # List of network interfaces (or "auto").
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
Index: etc/rc.network
===================================================================
RCS file: /home/ncvs/src/etc/rc.network,v
retrieving revision 1.52
diff -u -r1.52 rc.network
--- rc.network 1999/07/26 15:17:23 1.52
+++ rc.network 1999/07/26 19:11:51
@@ -197,6 +197,16 @@
echo -n ' broadcast ping responses=YES'
sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
fi
+
+ if [ "X$icmp_dropredirect" = X"YES" ]; then
+ echo -n ' ignore ICMP redirect=YES'
+ sysctl -w net.inet.icmp.dropredirect=1 >/dev/null
+ fi
+
+ if [ "X$icmp_logredirect" = X"YES" ]; then
+ echo -n ' log ICMP redirect=YES'
+ sysctl -w net.inet.icmp.logredirect=1 >/dev/null
+ fi
if [ "X$gateway_enable" = X"YES" ]; then
echo -n ' IP gateway=YES'
@@ -216,6 +226,16 @@
if [ "X$tcp_keepalive" = X"YES" ]; then
echo -n ' TCP keepalive=YES'
sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
+ fi
+
+ if [ "X$tcp_restrict_rst" = X"YES" ]; then
+ echo -n ' restrict TCP reset=YES'
+ sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+ fi
+
+ if [ "X$tcp_drop_synfin" = X"YES" ]; then
+ echo -n ' drop SYN+FIN packets=YES'
+ sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
fi
if [ "X$ipxgateway_enable" = X"YES" ]; then
Index: sys/conf/options
===================================================================
RCS file: /home/ncvs/src/sys/conf/options,v
retrieving revision 1.144
diff -u -r1.144 options
--- options 1999/07/05 20:19:34 1.144
+++ options 1999/07/26 19:11:51
@@ -222,6 +222,8 @@
PPP_FILTER opt_ppp.h
TCP_COMPAT_42 opt_compat.h
TCPDEBUG
+TCP_RESTRICT_RST opt_tcp_input.h
+TCP_DROP_SYNFIN opt_tcp_input.h
IPFILTER opt_ipfilter.h
IPFILTER_LOG opt_ipfilter.h
SLIP_IFF_OPTS opt_slip.h
Index: sys/i386/conf/LINT
===================================================================
RCS file: /home/ncvs/src/sys/i386/conf/LINT,v
retrieving revision 1.620
diff -u -r1.620 LINT
--- LINT 1999/07/26 05:47:17 1.620
+++ LINT 1999/07/26 19:11:51
@@ -465,9 +465,23 @@
options IPDIVERT #divert sockets
options IPFILTER #kernel ipfilter support
options IPFILTER_LOG #ipfilter logging
-#options IPFILTER_LKM #kernel support for ip_fil.o LKM
options IPSTEALTH #support for stealth forwarding
+#options IPFILTER_LKM #kernel support for ip_fil.o LKM
options TCPDEBUG
+
+# The following options add sysctl variables for controlling how certain
+# TCP packets are handled.
+#
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+#
+# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
+# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
+# for RFC1644 extensions and is not recommended for web servers.
+#
+options TCP_RESTRICT_RST #restrict emission of TCP RST
+options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
# ICMP_BANDLIM enables icmp error response bandwidth limiting. You
# typically want this option as it will help protect the machine from
Index: sys/netinet/ip_icmp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.34
diff -u -r1.34 ip_icmp.c
--- ip_icmp.c 1999/03/06 23:10:42 1.34
+++ ip_icmp.c 1999/07/26 19:11:51
@@ -69,6 +69,14 @@
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
+static int logredirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, logredirect, CTLFLAG_RW,
+ &logredirect, 0, "");
+
+static int dropredirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirect, CTLFLAG_RW,
+ &dropredirect, 0, "");
+
#ifdef ICMP_BANDLIM
/*
@@ -462,6 +470,15 @@
return;
case ICMP_REDIRECT:
+ if (logredirect) {
+ char from[4 * sizeof "123"], dst[4 * sizeof "123"];
+ strcpy(from, inet_ntoa(ip->ip_src));
+ strcpy(dst, inet_ntoa(icp->icmp_ip.ip_dst));
+ printf("icmp_redirect from %s: %s => %s\n",
+ from, dst, inet_ntoa(icp->icmp_gwaddr));
+ }
+ if (dropredirect)
+ break;
if (code > 3)
goto badcode;
if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
Index: sys/netinet/tcp_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.87
diff -u -r1.87 tcp_input.c
--- tcp_input.c 1999/07/18 14:42:48 1.87
+++ tcp_input.c 1999/07/26 19:11:51
@@ -36,6 +36,7 @@
#include "opt_ipfw.h" /* for ipfw_fwd */
#include "opt_tcpdebug.h"
+#include "opt_tcp_input.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -89,6 +90,18 @@
&tcp_delack_enabled, 0,
"Delay ACK to try and piggyback it onto a data packet");
+#ifdef TCP_RESTRICT_RST
+static int restrict_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW,
+ &restrict_rst, 0, "Restrict RST emission");
+#endif
+
+#ifdef TCP_DROP_SYNFIN
+static int drop_synfin = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
+ &drop_synfin, 0, "Drop TCP packets with FIN+ACK set");
+#endif
+
u_long tcp_now;
struct inpcbhead tcb;
struct inpcbinfo tcbinfo;
@@ -336,6 +349,18 @@
}
tiflags = ti->ti_flags;
+#ifdef TCP_DROP_SYNFIN
+ /*
+ * If the drop_synfin option is enabled, drop all packets with
+ * both the SYN and FIN bits set. This prevents e.g. nmap from
+ * identifying the TCP/IP stack.
+ *
+ * This is incompatible with RFC1644 extensions (T/TCP).
+ */
+ if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == TH_SYN|TH_FIN)
+ goto drop;
+#endif
+
/*
* Convert TCP protocol specific fields to host format.
*/
@@ -1764,6 +1789,10 @@
return;
dropwithreset:
+#ifdef TCP_RESTRICT_RST
+ if (restrict_rst)
+ goto drop;
+#endif
/*
* Generate a RST, dropping incoming segment.
* Make ACK acceptable to originator of segment.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpn1wjb1o2.fsf>