From owner-freebsd-questions  Tue Jan 11 23:17:18 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mentisworks.com (valkery.mentisworks.com [207.227.89.226])
	by hub.freebsd.org (Postfix) with ESMTP id 000AF15085
	for <freebsd-questions@freebsd.org>; Tue, 11 Jan 2000 23:17:15 -0800 (PST)
	(envelope-from nathank@mentisworks.com)
Received: from [24.29.246.53] (HELO mentisworks.com)
  by mentisworks.com (CommuniGate Pro SMTP 3.2b9)
  with ESMTP id 651404 for freebsd-questions@freebsd.org; Wed, 12 Jan 2000 01:17:19 -0600
Received: from [192.168.245.111] (HELO mentisworks.com)
  by mentisworks.com (CommuniGate Pro SMTP 3.2b9)
  with ESMTP id 2350007 for freebsd-questions@freebsd.org; Wed, 12 Jan 2000 01:17:18 -0600
Message-ID: <387C29CE.4904EBBE@mentisworks.com>
Date: Wed, 12 Jan 2000 01:14:22 -0600
From: Nathan Kinsman <nathank@mentisworks.com>
Organization: Mentisworks, LLC
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: Kernel Option: TCP_DROP_SYNFIN
References: <200001111947.LAA55191@cwsys.cwsent.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Cy Schubert - ITSD Open Systems Group wrote:
> 
> In message <xzpya9xq9sq.fsf@flood.ping.uio.no>, Dag-Erling Smorgrav
> writes:
> > Brad Knowles <blk@skynet.be> writes:
> > > At 12:18 PM -0800 2000/1/9, Holtor wrote:
> > > >  Would this help stop SYN floods from breaking my
> > > >  freebsd computer? if anyones tried it, please speak
> > > >  up with any results or how it works. Thanks!
> > >     I've used it and haven't seen it do any harm to the systems I was
> > > using it on, although I can't speak for how well it might have helped
> > > them survive a SYN flood.  Unless you're using TTCP (TCP for
> > > Transactions), you should probably be safe in enabling it.
> >
> > It doesn't have anything to do with syn floods at all. It merely
> > prevents OS fingerprinting (at least the way nmap does it).
> 
> The following ipfw rule will also prevent OS fingerprinting.
> 
> deny log tcp from any to any in tcpflg fin,syn

Are you sure this still works?  NMAP 2.3BETA12  does not seem to have a
problem fingerprinting a FreeBSD host protected by TCP_DROP_SYNFIN, or
using the equivalent IPFilter rule in the experiments I have done.

-- 
Nathan Kinsman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message