Date: Thu, 31 May 2001 12:37:58 +0200 From: "Liran Dahan" <lirandb@netvision.net.il> To: <freebsd-security@freebsd.org> Cc: <art@pilikia.net> Subject: Re: Syn+Fin (Setup) And TCP RST Message-ID: <001801c0e9bd$c2b7f3a0$b88f39d5@a> References: <010f01c0e888$5ab3c120$b88f39d5@a><200105291052100670.246E525C@smtp><012601c0e88c$3e6efb20$b88f39d5@a> <200105301945280950.2B7D2CAF@smtp>
next in thread | previous in thread | raw e-mail | index | archive | help
There is no connectio Between net.inet.tcp.restict_rst=1 to ipfw, since ipfw
will send RST packets if i tell him EVEN if i have rst restricted in my
kernel.
Best Regards,
Liran Dahan (lirandb@netvision.net.il)
----- Original Message -----
From: "Arthur W. Neilson III" <art@pilikia.net>
To: "Liran Dahan" <lirandb@netvision.net.il>
Sent: Thursday, May 31, 2001 7:45 AM
Subject: Re: Syn+Fin (Setup) And TCP RST
> it's not sending a RST because you told it not to. The
> net.inet.tcp.restrict_rst = 1 makes the stack NOT send RSTs,
> it just drops the space held by the incoming segment and returns.
> generally speaking, enabling restrict_rst is a bad idea and should
> only be done if you're sure you need it (you're being attacked by SYN
flood).
>
> On 5/30/01 at 12:11 AM Liran Dahan wrote:
> >
> >Yes, you right, i noticed it just now, i've changed the variable
> >net.inet.tcp.restrict_rst to 1 and saw it took me ages till i got
> >Connection
> >timeout.. so what can be the problem.. why my firewall is not sending TCP
> >RST when im doing ipfw add reset tcp from any to any ?
> >
> >-Liran Dahan- (lirandb@netvision.net.il)
> >----- Original Message -----
> >From: "Arthur W. Neilson III" <art@pilikia.net>
> >To: "Liran Dahan" <lirandb@netvision.net.il>
> >Sent: Tuesday, May 29, 2001 10:52 PM
> >Subject: Re: Syn+Fin (Setup) And TCP RST
> >
> >
> >> adding these options to your kernel config merely compiles in
> >> the code to support these features. In order to actually turn them
> >> on you have to set the variables in rc.conf to "YES" or turn them
> >> on via sysctl(1) ...
> >>
> >> # For the following two options, you need to have
> >> # TCP_DROP_SYNFIN and TCP_RESTRICT_RST
> >> # set in your kernel. Please refer to LINT for details.
> >> tcp_drop_synfin="NO" # Set to YES to drop TCP w/SYN+FIN
> >> # NOTE: this violates
> >the TCP specification
> >> tcp_restrict_rst="NO" # Set to YES to restrict emission of
> >RST
> >>
> >> On 5/29/01 at 11:43 PM Liran Dahan wrote:
> >> >
> >> >I've added those 2 options in my kernel long time ago:
> >> >options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
> >> >options TCP_RESTRICT_RST #restrict emission of TCP RST
> >>
> >> --
> >> __
> >> / ) _/_ It is a capital mistake to theorise before one has
data.
> >> /--/ __ / Insensibly one begins to twist facts to suit theories,
> >> / (_/ (_<__ Instead of theories to suit facts.
> >> -- Sherlock Holmes, "A Scandal in Bohemia"
> >> Arthur W. Neilson III, WH7N - FISTS #7448
> >> Bank of Hawaii Tech Support
> >> http://www.pilikia.net
> >> art@pilikia.net, aneilson@boh.com, wh7n@arrl.net
> >>
> >>
> >>
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
>
>
> --
> __
> / ) _/_ It is a capital mistake to theorise before one has data.
> /--/ __ / Insensibly one begins to twist facts to suit theories,
> / (_/ (_<__ Instead of theories to suit facts.
> -- Sherlock Holmes, "A Scandal in Bohemia"
> Arthur W. Neilson III, WH7N - FISTS #7448
> Bank of Hawaii Tech Support
> http://www.pilikia.net
> art@pilikia.net, aneilson@boh.com, wh7n@arrl.net
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001801c0e9bd$c2b7f3a0$b88f39d5>