From owner-freebsd-hackers@FreeBSD.ORG  Mon Jul  7 08:33:16 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E5C3E37B401
	for <hackers@freebsd.org>; Mon,  7 Jul 2003 08:33:16 -0700 (PDT)
Received: from webboy.soth.at (door.soth.at [80.110.102.19])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2C72F43FA3
	for <hackers@freebsd.org>; Mon,  7 Jul 2003 08:33:16 -0700 (PDT)
	(envelope-from toni@webboy.soth.at)
Received: by webboy.soth.at (Postfix, from userid 1000)
	id 9BE807C7; Mon,  7 Jul 2003 17:33:14 +0200 (CEST)
Date: Mon, 7 Jul 2003 17:33:14 +0200
From: Toni Andjelkovic <toni@soth.at>
To: Socketd <db@traceroute.dk>
Message-ID: <20030707153314.GA1695@webboy.soth.at>
References: <20030707012205.3103dfc8.db@traceroute.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030707012205.3103dfc8.db@traceroute.dk>
User-Agent: Mutt/1.4i
cc: hackers@freebsd.org
Subject: Re: 5 "Advanced" networking questions
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2003 15:33:17 -0000

On Mon, Jul 07 2003 (01:22:05 +0200), Socketd wrote:
> 1. Reading "man blackhole" I found that net.inet.udp.blackhole=1 will
> prevent traceroute. Is this only if the host is the end target? or will
> it simply disable sending an ICMP packet when it get's a packet with
> ttl=1?

Look in sys/netinet/udp_usrreq.c. This flag operates on the UDP layer and
doesn't interfere with TTLs.

> 2. Does net.inet.icmp.drop_redirect drop all redirects?
> 	Redirect datagrams for the Network.
> 	Redirect datagrams for the Host.
> 	Redirect datagrams for the Type of Service and Network.
> 	Redirect datagrams for the Type of Service and Host.

Look in sys/netinet/ip_icmp.c, it checks for icp->icmp_type, not icp->icmp_code,
so all incoming ICMP packets with a type of ICMP_REDIRECT would be dropped.

> 3. What is the difference between net.inet.ip.redirect and the above?

Look in sys/netinet/ip_input.c. This is different from incoming redirects.

> 4. There is a net.inet.icmp.maskrepl, but can you also disable
> timestamp, echo request and information request messages the same way or
> do I need a firewall for that?

Look in sys/netinet/ip_icmp.c. You need to block these packets separately.

> 5. In order to drop SYN-FIN packets, do I need to compile the kernel
> with "options	TCP_DROP_SYNFIN" or can I just use "tcp_drop_synfin="YES"" in
> /etc/rc.conf? Is there a net.inet.tcp.??  I can use instead of the above
> suggestions?

Look in netinet/tcp_input.c. You need the kernel option "TCP_DROP_SYNFIN" in
addition to tcp_drop_synfin="YES".

Cheers,
Toni