From owner-freebsd-current Mon Aug 16 20:38:15 1999 Delivered-To: freebsd-current@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0988F14DFA for ; Mon, 16 Aug 1999 20:38:11 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id UAA10246; Mon, 16 Aug 1999 20:37:10 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908170337.UAA10246@gndrsh.dnsmgr.net> Subject: Re: Dropping connections without RST In-Reply-To: <199908170133.SAA25256@bubba.whistle.com> from Archie Cobbs at "Aug 16, 1999 06:33:51 pm" To: archie@whistle.com (Archie Cobbs) Date: Mon, 16 Aug 1999 20:37:09 -0700 (PDT) Cc: current@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Geoff Rehmet writes: > > After the discussions regarding the "log_in_vain" > > sysctls, I was thinking about a feature I would > > like to implement: > > > > Instead of sending a RST (for TCP) or Port Unreachable > > (for UDP) where the box is not listening on a socket, > > I would like to implement a sysctl, which disables the > > sending of the RST or the Port unreachable. This is > > basically for public servers (like DNS servers), which > > I want to turn into black holes on ports where they > > are not listening. (This confuses things if someone > > strobes the machines, and also makes life a little > > more difficult for anyone who tries to portscan them.) > > > > In default configuration, everything would behave as per > > normal, and you would have to set a sysctl MIB before the > > behaviour that I have described is displayed. > > > > Can anyone think of any reason why this feature should > > not be implemented? > > I like that idea... net.inet.{tcp,udp}.drop_in_vain ? > I kinda like the idea of this, but can't that really just be done easily with a few ipfw rules, the last two being the important ones: for port in "22 53" ; do ipfw add allow udp from any to ${myip} ${port} ipfw add allow udp from ${myip} ${port} to any ipfw add allow tcp from any to ${myip} ${port} ipfw add allow tcp from ${myip} ${port} to any done ipfw add deny udp from any to ${myip} ipfw add deny tcp from any to ${myip} Why should we special case this? -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message