Date: Tue, 27 Jul 1999 22:50:50 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Dag-Erling Smorgrav <des@yes.no> Cc: net@FreeBSD.ORG Subject: TCP/IP hardening Message-ID: <199907280250.WAA06009@khavrinen.lcs.mit.edu> In-Reply-To: <xzpn1wjb1o2.fsf@des.follo.net> References: <xzpn1wjb1o2.fsf@des.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On 26 Jul 1999 22:23:41 +0200, Dag-Erling Smorgrav <des@yes.no> said: > * net.inet.tcp.restrict_rst: if set to 1, do not emit TCP RST > packets. Conditional on the TCP_RESTRICT_RST kernel option, which > defaults to off. Why would you want to break the TCP implementation? > * net.inet.tcp.drop_synfin: if set to 1, drop TCP packets with both > the SYN and FIN options set. Conditional on the TCP_DROP_SYNFIN > kernel option, which defaults to off. Again, why would you do that? If it bothers you so much, then go hide behind a firewall. +# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This +# prevents nmap et al. from identifying the TCP/IP stack, but breaks support +# for RFC1644 extensions and is not recommended for web servers. It also breaks support for the TCP protocol, regardless of the state of RFC 1644. Any log messages which can be evoked by an attacker should be rate-limited. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907280250.WAA06009>