Date: Tue, 16 Jan 2001 09:13:58 +0100 From: Pavol Adamec <pavol_adamec@tempest.sk> To: Dennis Jun <dennisjun@home.com> Cc: freebsd-questions@freebsd.org Subject: Re: TCP_DROP_SYNFIN doesn't work? Message-ID: <3A6402C6.98E6EDE@tempest.sk> References: <004a01c07f90$29bcef80$0300a8c0@wilma> <3A63FFF9.8E64A6AA@tempest.sk> <007901c07f93$9fea33e0$0300a8c0@wilma>
next in thread | previous in thread | raw e-mail | index | archive | help
You also add tcp_drop_synfin="YES" to your /etc/rc.conf because default setting from /etc/defaults/rc.conf is tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN Paul Dennis Jun wrote: > > I have also implemented TCP_RESTRICT_RST as well. > > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This > # prevents nmap et al. from identifying the TCP/IP stack,... > > That is from LINT. Thus the reason for my question. My friend just > upgraded his Linux kernel to 2.4.0 with the same option and it works for > him. Thus I'm suspecting I'm doing something wrong but I wanted to know if > others had this problem as well. > > ----- Original Message ----- > From: "Pavol Adamec" <pavol_adamec@tempest.sk> > To: "Dennis Jun" <dennisjun@home.com> > Cc: <freebsd-questions@FreeBSD.ORG>; <freebsd-security@FreeBSD.ORG> > Sent: Tuesday, January 16, 2001 3:02 AM > Subject: Re: TCP_DROP_SYNFIN > > > I'm not sure what you excatly ment by that but: > > > > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and > > FIN flags set. nmap -sS is a "half-open scan" - it send packets > > with only SYN flag set. > > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN > > packets to non-listening ports. > > > > Paul > > > > Dennis Jun wrote: > > > > > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work > all > > > the time. Specifically with this scan nmap -v -O -sS . Is it just me > or > > > does this not work for other people as well? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > Dennis Jun wrote: > > > > > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work > all > > > the time. Specifically with this scan nmap -v -O -sS . Is it just me > or > > > does this not work for other people as well? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6402C6.98E6EDE>