Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Jan 2001 09:13:58 +0100
From:      Pavol Adamec <pavol_adamec@tempest.sk>
To:        Dennis Jun <dennisjun@home.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: TCP_DROP_SYNFIN doesn't work?
Message-ID:  <3A6402C6.98E6EDE@tempest.sk>
References:  <004a01c07f90$29bcef80$0300a8c0@wilma> <3A63FFF9.8E64A6AA@tempest.sk> <007901c07f93$9fea33e0$0300a8c0@wilma>

next in thread | previous in thread | raw e-mail | index | archive | help
You also add 

tcp_drop_synfin="YES"

to your /etc/rc.conf because default setting from /etc/defaults/rc.conf
is

tcp_drop_synfin="NO"        # Set to YES to drop TCP packets with
SYN+FIN

Paul

Dennis Jun wrote:
> 
> I have also implemented TCP_RESTRICT_RST as well.
> 
> # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
> # prevents nmap et al. from identifying the TCP/IP stack,...
> 
> That is from LINT. Thus the reason for my question. My friend just
> upgraded his Linux kernel to 2.4.0 with the same option and it works for
> him. Thus I'm suspecting I'm doing something wrong but I wanted to know if
> others had this problem as well.
> 
> ----- Original Message -----
> From: "Pavol Adamec" <pavol_adamec@tempest.sk>
> To: "Dennis Jun" <dennisjun@home.com>
> Cc: <freebsd-questions@FreeBSD.ORG>; <freebsd-security@FreeBSD.ORG>
> Sent: Tuesday, January 16, 2001 3:02 AM
> Subject: Re: TCP_DROP_SYNFIN
> 
> > I'm not sure what you excatly ment by that but:
> >
> > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and
> > FIN flags set. nmap -sS is a "half-open scan" - it send packets
> > with only SYN flag set.
> > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN
> > packets to non-listening ports.
> >
> > Paul
> >
> > Dennis Jun wrote:
> > >
> > > I have compiled this option in my kernel on 3 differents FreeBSD boxes
> > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work
> all
> > > the time. Specifically with this scan  nmap -v -O -sS .  Is it just me
> or
> > > does this not work for other people as well?
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> > Dennis Jun wrote:
> > >
> > > I have compiled this option in my kernel on 3 differents FreeBSD boxes
> > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work
> all
> > > the time. Specifically with this scan  nmap -v -O -sS .  Is it just me
> or
> > > does this not work for other people as well?
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6402C6.98E6EDE>