Date: Fri, 28 Dec 2007 13:34:13 +0100 From: "Beat Gaetzi" <beat@chruetertee.ch> To: FreeBSD-gnats-submit@FreeBSD.org Subject: conf/119098: [PATCH] Remove rc.conf reference to TCP_DROP_SYNFIN kernel option Message-ID: <200712281234.lBSCY4Fw015101@marvin.chruetertee.ch> Resent-Message-ID: <200712281320.lBSDK1v8032768@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 119098 >Category: conf >Synopsis: [PATCH] Remove rc.conf reference to TCP_DROP_SYNFIN kernel option >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri Dec 28 13:20:01 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Beat Gätzi >Release: FreeBSD 8.0-CURRENT i386 >Organization: >Environment: System: FreeBSD daedalus.network.local 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Mon Dec 3 13:00:30 CET 2007 root@daedalus.network.local:/usr/obj/usr/src/sys/GENERIC i386 >Description: The TCP_DROP_SYNFIN kernel option is now included in the kernel by default. Remove reference to this option from defaults/rc.conf and rc.conf(5). >How-To-Repeat: >Fix: --- synfin.patch begins here --- diff -Naur src.ori/etc/defaults/rc.conf src/etc/defaults/rc.conf --- src.ori/etc/defaults/rc.conf 2007-10-23 20:36:44.000000000 +0200 +++ src/etc/defaults/rc.conf 2007-12-28 13:12:00.000000000 +0100 @@ -163,8 +163,6 @@ tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="0" # >=1 to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). -# For the following option you need to have TCP_DROP_SYNFIN set in your -# kernel. Please refer to LINT and NOTES for details. tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets diff -Naur src.ori/share/man/man5/rc.conf.5 src/share/man/man5/rc.conf.5 --- src.ori/share/man/man5/rc.conf.5 2007-11-04 18:08:19.000000000 +0100 +++ src/share/man/man5/rc.conf.5 2007-12-28 13:12:48.000000000 +0100 @@ -952,10 +952,6 @@ the SYN and FIN flags set. This prevents OS fingerprinting, but may break some legitimate applications. -This option is only available if the -kernel was built with the -.Dv TCP_DROP_SYNFIN -option. .It Va icmp_drop_redirect .Pq Vt bool Set to --- synfin.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712281234.lBSCY4Fw015101>