From owner-freebsd-security Tue Jan 16 0:26: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F270D37B6A2; Tue, 16 Jan 2001 00:25:42 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id JAA36125; Tue, 16 Jan 2001 09:25:39 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Pavol Adamec Cc: Dennis Jun , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: TCP_DROP_SYNFIN References: <004a01c07f90$29bcef80$0300a8c0@wilma> <3A63FFF9.8E64A6AA@tempest.sk> From: Dag-Erling Smorgrav Date: 16 Jan 2001 09:25:38 +0100 In-Reply-To: Pavol Adamec's message of "Tue, 16 Jan 2001 09:02:01 +0100" Message-ID: Lines: 15 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pavol Adamec writes: > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and > FIN flags set. nmap -sS is a "half-open scan" - it send packets > with only SYN flag set. > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN > packets to non-listening ports. Correct. TCP_DROP_SYNFIN protects against (some forms of) OS finger- printing, not against port scanning. And in both cases, remember that the corresponding sysctl variable defaults to off (see /etc/defaults/rc.conf) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message