Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 7 Jul 2003 17:33:14 +0200
From:      Toni Andjelkovic <toni@soth.at>
To:        Socketd <db@traceroute.dk>
Cc:        hackers@freebsd.org
Subject:   Re: 5 "Advanced" networking questions
Message-ID:  <20030707153314.GA1695@webboy.soth.at>
In-Reply-To: <20030707012205.3103dfc8.db@traceroute.dk>
References:  <20030707012205.3103dfc8.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jul 07 2003 (01:22:05 +0200), Socketd wrote:
> 1. Reading "man blackhole" I found that net.inet.udp.blackhole=1 will
> prevent traceroute. Is this only if the host is the end target? or will
> it simply disable sending an ICMP packet when it get's a packet with
> ttl=1?

Look in sys/netinet/udp_usrreq.c. This flag operates on the UDP layer and
doesn't interfere with TTLs.

> 2. Does net.inet.icmp.drop_redirect drop all redirects?
> 	Redirect datagrams for the Network.
> 	Redirect datagrams for the Host.
> 	Redirect datagrams for the Type of Service and Network.
> 	Redirect datagrams for the Type of Service and Host.

Look in sys/netinet/ip_icmp.c, it checks for icp->icmp_type, not icp->icmp_code,
so all incoming ICMP packets with a type of ICMP_REDIRECT would be dropped.

> 3. What is the difference between net.inet.ip.redirect and the above?

Look in sys/netinet/ip_input.c. This is different from incoming redirects.

> 4. There is a net.inet.icmp.maskrepl, but can you also disable
> timestamp, echo request and information request messages the same way or
> do I need a firewall for that?

Look in sys/netinet/ip_icmp.c. You need to block these packets separately.

> 5. In order to drop SYN-FIN packets, do I need to compile the kernel
> with "options	TCP_DROP_SYNFIN" or can I just use "tcp_drop_synfin="YES"" in
> /etc/rc.conf? Is there a net.inet.tcp.??  I can use instead of the above
> suggestions?

Look in netinet/tcp_input.c. You need the kernel option "TCP_DROP_SYNFIN" in
addition to tcp_drop_synfin="YES".

Cheers,
Toni

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030707153314.GA1695>