From owner-cvs-all  Thu Nov  5 00:33:12 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA04770
          for cvs-all-outgoing; Thu, 5 Nov 1998 00:33:12 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA04763
          for <cvs-committers@FreeBSD.ORG>; Thu, 5 Nov 1998 00:33:10 -0800 (PST)
          (envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id AAA25674;
	Thu, 5 Nov 1998 00:28:52 -0800 (PST)
Message-ID: <19981105002852.B18743@best.com>
Date: Thu, 5 Nov 1998 00:28:52 -0800
From: "Jan B. Koum " <jkb@best.com>
To: Poul-Henning Kamp <phk@critter.freebsd.dk>,
        Nate Williams <nate@mt.sri.com>
Cc: Don Lewis <Don.Lewis@tsc.tdk.com>, cvs-committers@FreeBSD.ORG
Subject: Re: cvs commit: src/usr.sbin/inetd inetd.c
References: <199811050756.AAA17272@mt.sri.com> <11223.910253625@critter.freebsd.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <11223.910253625@critter.freebsd.dk>; from Poul-Henning Kamp on Thu, Nov 05, 1998 at 09:13:45AM +0100
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

On Thu, Nov 05, 1998 at 09:13:45AM +0100, Poul-Henning Kamp <phk@critter.freebsd.dk> wrote:
> 
> >> Well, it is (barely) measurably faster on the two busy mailservers I run.
> >
> >That makes no sense given Don't analysis.  Getting a reset is *MUCH*
> >faster than making a full-fledged TCP connection, sending and receiving
> >(bogus) data, and then shutting down the connection.
[snip]
> >> The other advantage is that it makes:
> >> 	sysctl -w net.inet.tcp.log_in_vain=1
> >> less noisy on same machines.
> >
> >????
> 
> Have you tried it on an mail server which doesn't answer port 113 ?
> You get a (possibly 3) messages every time somebody tried to connect
> to port 113.  With this dummy server in place, you don't get the 
> noise, so you can see actual portscans and stuff like that.

	I am jumping into this thread and might be missing the point, but...

	Most portscans these days won't get logged with that sysctl setting. 
	Reason is that they don't always have TH_SYN only - in many case 
	they don't even have that.
	Here is for example what nmap portscanner can do:

   -sT tcp connect() port scan
   -sS tcp SYN stealth port scan (must be root)
   -sF,-sX, -sN Stealth FIN, Xmas, or Null scan (only works against UNIX).

	Going from TH_SYN to TH_FLAGS in tcp_input.c will solve that.
	Maybe I should beautify www.best.com/~jkb/tcp_input.diff.txt and
	just send-pr it?

> 
> Everybody who's concerned about security should run with
> 	 sysctl -w net.inet.tcp.log_in_vain=1
> even if behind a firewall.

	Taking it a step further: anyone who is REALLY concerned about
	security should run IDS to make sure their firewall works as it
	should. :) I'd suggest NFR - it runs on FreeBSD very well.

-- Yan

I don't have the password .... + Jan Koum 
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message