Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Aug 1999 20:37:09 -0700 (PDT)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        archie@whistle.com (Archie Cobbs)
Cc:        current@FreeBSD.ORG
Subject:   Re: Dropping connections without RST
Message-ID:  <199908170337.UAA10246@gndrsh.dnsmgr.net>
In-Reply-To: <199908170133.SAA25256@bubba.whistle.com> from Archie Cobbs at "Aug 16, 1999 06:33:51 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
> Geoff Rehmet writes:
> > After the discussions regarding the "log_in_vain"
> > sysctls, I was thinking about a feature I would
> > like to implement:
> > 
> > Instead of sending a RST (for TCP) or Port Unreachable
> > (for UDP) where the box is not listening on a socket,
> > I would like to implement a sysctl, which disables the
> > sending of the RST or the Port unreachable.  This is 
> > basically for public servers (like DNS servers), which
> > I want to turn into black holes on ports where they
> > are not listening.  (This confuses things if someone
> > strobes the machines, and also makes life a little
> > more difficult for anyone who tries to portscan them.)
> > 
> > In default configuration, everything would behave as per
> > normal, and you would have to set a sysctl MIB before the
> > behaviour that I have described is displayed.
> > 
> > Can anyone think of any reason why this feature should
> > not be implemented?
> 
> I like that idea... net.inet.{tcp,udp}.drop_in_vain ?
> 
I kinda like the idea of this, but can't that really just
be done easily with a few ipfw rules, the last two being
the important ones:

for port in "22 53" ; do
	ipfw add allow udp from any to ${myip} ${port}
	ipfw add allow udp from ${myip} ${port} to any
	ipfw add allow tcp from any to ${myip} ${port}
	ipfw add allow tcp from ${myip} ${port} to any
done
ipfw add deny udp from any to ${myip}
ipfw add deny tcp from any to ${myip}

Why should we special case this?

--
Rod Grimes - KD7CAX - (RWG25)                    rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908170337.UAA10246>