Date: Mon, 19 Mar 2007 21:23:10 +0300 From: banshee <root@vault13.org> To: freebsd-current@freebsd.org Subject: Re: rc.conf: tcp_drop_synfin option Message-ID: <20070319182310.GH1057@vault.net.vault13.org> In-Reply-To: <a31046fc0703190451i70442035q90e0a2eb0c98e6c3@mail.gmail.com> References: <20070318152101.GA70619@vault13.org> <a31046fc0703190248g7b8ba445g7ef5fb282823883c@mail.gmail.com> <20070319112333.GA832@vault.net.vault13.org> <a31046fc0703190451i70442035q90e0a2eb0c98e6c3@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
No, in that case, it will sysctl will turn on SYN+FIN drop, but if we us
e cut -d ' ' -f 2, it will return 0 (by default at start up time this sysctl var=0) and print error msg. if you use -f 4, then it will check, that SYN+FIN funct
ion is turned on, no meter how.
On Mon, Mar 19, 2007 at 02:51:10PM +0300, pluknet wrote:
> On 19/03/07, banshee <root@vault13.org> wrote:
> >On Mon, Mar 19, 2007 at 12:48:01PM +0300, pluknet wrote:
> >> Hi.
> >>
> >> On 18/03/07, banshee <root@vault13.org> wrote:
> >> >
> >> > Hello everyone!
> >> >
> >> > I have an tcp_drop_synfin="yes" option in my rc.conf, but it
> >> > doesn't work correct. Here is the dmesg -a part:
> >> >
> >> > [...]
> >> > Additional routing options:
> >> > ignore ICMP redirect=3DYES
> >> > log ICMP redirect=3DYES
> >> > drop SYN+FIN packets=3DYES
> >> > sysctl:
> >> > unknown oid 'net.inet.tcp.drop_synfin'
> >> > [...]
> >> >
> >> > I've been thinking about making a patch for it
> >(/etc/rc.d/routing,
> >> > lines 22-127), but i just didn't find something in `sysctl -a`
> >> > list that can be used. If this option removed, then may be the
> >> > lines 124-125 in /etc/rc.d/routing should be changed (something
> >as
> >> > in attach)? I'm interested in making patch for it :-)
> >>
> >> Didn't you forget to add the TCP_DROP_SYNFIN option in your kernel
> >config?
> >>
> >> > Best regards, banshee, vault13.org...
> >>
> >> pluknet
> >
> > Ups... No, I didn't forget to include it, i've just compiled the
> > wrong kernel :-)
> > Anyway, i've made some changes to routing file, just to see, is
> > this sysctl var set correctly (i know, the code is ugly).
>
> >From attach:
> - echo -n ' drop SYN+FIN packets=YES'
> - sysctl net.inet.tcp.drop_synfin=1 >/dev/null
> + if [ "`sysctl net.inet.tcp.drop_synfin=1 | cut -d ' ' -f 4`"
> \
> + = "1" ]; then
>
> Perhaps it would be more careful to make a so-called "const" check:
> - echo -n ' drop SYN+FIN packets=YES'
> sysctl net.inet.tcp.drop_synfin=1 >/dev/null
> + if [ "`sysctl net.inet.tcp.drop_synfin | cut -d ' ' -f 2`" \
> + = "1" ]; then
>
> >
> pluknet
>
> ps
> sorry for my English
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
--
Contra vim mortis, non est medicaments...
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iQIVAwUBRf7VC4klF6acR4MmAQIGhA/+MjiTMWIiVpOkqJZ1GsJmbcf18rpBNYOF
dVOlIQv5NuagJ1vyooCvN/bdINXet5N0y6xeOBXRrNI6PrwOlZTB1YcWGvEFb07m
IuaK2Ycgg5MtVV+yfdpvyAl/XgPI+oQWSdJSJOHYXZ+sBaeo829SVTZSeEmrr82n
mL/eQ4vYbwRZdf3YshsTk6GoPsM8QiJlkEq86jFa/v5e6nUjh0NcV5N+zJoI4Dur
euOTMQ8EwUFQGGRn+wqkFOzq9tpYGo25+X3m9Ia6G0/AVUGEcBqqYhcigCTEU2CV
BE5wfrFRePmG8M5apJLHCElzvATlfJ5NWT1fe0tp7AEUaiQp3oo4nkSqwxx4vTsL
EW27h9CsPo97Zqk+//tjhvZqcXL7c5yu55cR1AZNEKo3oO01cLRvVRsZOfDIFQbr
f1PG7oyixC2CgUqxfUB9BxH6Pvj+WhZgauq9NwOSnTHVLg1CpNuqFCtqQDVz/GaB
jVCg3DkXca2WJoi1P1GEb+KiPJvW4Ves36qprxy3fIE+0G+f2203CKDsDbfHAJxR
ovJcGQR3u4c5Gd2mxHqDd1PV989HvK2+DkBuR8xf70lPSWwo6CLQZceXROiSV+Xt
wyPPMUXYupITbdJ6B1j4z1+84v9jjz9eQxFuygPdjP1mEycWGsacgp2d94MTg9WD
3UC6QRCaKXc=
=xYGp
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070319182310.GH1057>