From owner-freebsd-net Tue Jul 27 19:51: 9 1999 Delivered-To: freebsd-net@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 7365415314 for ; Tue, 27 Jul 1999 19:50:55 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id WAA06009; Tue, 27 Jul 1999 22:50:50 -0400 (EDT) (envelope-from wollman) Date: Tue, 27 Jul 1999 22:50:50 -0400 (EDT) From: Garrett Wollman Message-Id: <199907280250.WAA06009@khavrinen.lcs.mit.edu> To: Dag-Erling Smorgrav Cc: net@FreeBSD.ORG Subject: TCP/IP hardening In-Reply-To: References: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > * net.inet.tcp.restrict_rst: if set to 1, do not emit TCP RST > packets. Conditional on the TCP_RESTRICT_RST kernel option, which > defaults to off. Why would you want to break the TCP implementation? > * net.inet.tcp.drop_synfin: if set to 1, drop TCP packets with both > the SYN and FIN options set. Conditional on the TCP_DROP_SYNFIN > kernel option, which defaults to off. Again, why would you do that? If it bothers you so much, then go hide behind a firewall. +# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This +# prevents nmap et al. from identifying the TCP/IP stack, but breaks support +# for RFC1644 extensions and is not recommended for web servers. It also breaks support for the TCP protocol, regardless of the state of RFC 1644. Any log messages which can be evoked by an attacker should be rate-limited. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message