Date: Tue, 16 Jan 2001 03:09:18 -0500 From: "Dennis Jun" <dennisjun@home.com> To: "Pavol Adamec" <pavol_adamec@tempest.sk> Cc: <freebsd-questions@freebsd.org> Subject: Re: TCP_DROP_SYNFIN doesn't work? Message-ID: <007901c07f93$9fea33e0$0300a8c0@wilma> References: <004a01c07f90$29bcef80$0300a8c0@wilma> <3A63FFF9.8E64A6AA@tempest.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
I have also implemented TCP_RESTRICT_RST as well. # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack,... That is from LINT. Thus the reason for my question. My friend just upgraded his Linux kernel to 2.4.0 with the same option and it works for him. Thus I'm suspecting I'm doing something wrong but I wanted to know if others had this problem as well. ----- Original Message ----- From: "Pavol Adamec" <pavol_adamec@tempest.sk> To: "Dennis Jun" <dennisjun@home.com> Cc: <freebsd-questions@FreeBSD.ORG>; <freebsd-security@FreeBSD.ORG> Sent: Tuesday, January 16, 2001 3:02 AM Subject: Re: TCP_DROP_SYNFIN > I'm not sure what you excatly ment by that but: > > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and > FIN flags set. nmap -sS is a "half-open scan" - it send packets > with only SYN flag set. > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN > packets to non-listening ports. > > Paul > > Dennis Jun wrote: > > > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all > > the time. Specifically with this scan nmap -v -O -sS . Is it just me or > > does this not work for other people as well? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > Dennis Jun wrote: > > > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all > > the time. Specifically with this scan nmap -v -O -sS . Is it just me or > > does this not work for other people as well? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007901c07f93$9fea33e0$0300a8c0>