Date: 16 Jan 2001 09:25:38 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: Pavol Adamec <pavol_adamec@tempest.sk> Cc: Dennis Jun <dennisjun@home.com>, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: TCP_DROP_SYNFIN Message-ID: <xzpzogr3nul.fsf@flood.ping.uio.no> In-Reply-To: Pavol Adamec's message of "Tue, 16 Jan 2001 09:02:01 %2B0100" References: <004a01c07f90$29bcef80$0300a8c0@wilma> <3A63FFF9.8E64A6AA@tempest.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
Pavol Adamec <pavol_adamec@tempest.sk> writes: > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and > FIN flags set. nmap -sS is a "half-open scan" - it send packets > with only SYN flag set. > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN > packets to non-listening ports. Correct. TCP_DROP_SYNFIN protects against (some forms of) OS finger- printing, not against port scanning. And in both cases, remember that the corresponding sysctl variable defaults to off (see /etc/defaults/rc.conf) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpzogr3nul.fsf>