From owner-freebsd-questions Fri Apr 21 0:48:26 2000 Delivered-To: freebsd-questions@freebsd.org Received: from aragorn.neomedia.it (aragorn.neomedia.it [195.103.207.6]) by hub.freebsd.org (Postfix) with ESMTP id E6E7D37B791 for ; Fri, 21 Apr 2000 00:48:17 -0700 (PDT) (envelope-from bartequi@neomedia.it) Received: from bartequi.ottodomain.org (ppp3-pa5.neomedia.it [195.103.207.115]) by aragorn.neomedia.it (8.9.3/8.9.3) with SMTP id JAA00289; Fri, 21 Apr 2000 09:45:34 +0200 (CEST) From: Salvo Bartolotta Date: Fri, 21 Apr 2000 08:48:14 GMT Message-ID: <20000421.8481400@bartequi.ottodomain.org> Subject: Re: hmm.. restrict_rst & drop_synfin To: Matt Heckaman , freebsd-questions@FreeBSD.ORG References: X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 4/21/00, 3:59:38 AM, Matt Heckaman wrote regarding Re: hmm.. restrict_rst & drop_synfin: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > On Thu, 20 Apr 2000, Bryan Bradsby wrote: > [...] > : You have to compile support for these options into the kernel. They are > : not in the GENERIC kernel. See LINT for the proper syntax. > Yes, I was informed of this shortly after my original post, and I'm not > running the generic kernel, I do actually make my own kernels =3D) I a= m just > special kernel options, and that if they did, they should say so. I > submitted a PR change request to have comments added that state this and > one who expected that things listed in defaults/rc.conf would not require > refer people to LINT. Thanks > : -bryan > : > Matt Heckaman > matt@arpa.mail.net > http://www.lucida.qc.ca > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.1 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > iD8DBQE4/8QcdMMtMcA1U5ARAiFvAJ9GTYdGse0ZGIfkDElB0k8QFuozpwCfY7Mo > +AUMAZJ6wWr22HYMtcOYTLk=3D > =3DIuJ3 > -----END PGP SIGNATURE----- Dear Matt Heckaman, These options ARE documented in detail. From (wait for it) rc.conf(5):
tcp_drop_synfin (bool) Set to NO by default. Setting to YES will cause the kernel to ignore TCP frames that have both the SYN and FIN flags set. This prevents OS fingerprinting, but may break some legitimate applications. This option is only available if the kernel was built with the TCP_DROP_SYNFIN option. tcp_restrict_rst (bool) Set to NO by default. Setting to YES will cause the kernel to refrain from emitting TCP RST frames in response to invalid TCP packets (e.g. frames destined for closed ports). This option is only available if the kernel was built with the TCP_RESTRICT_RST option.
RTFM, RTFM, RTFM ... :-) This is taken from the man pages on my 3.4-S.=20 The options are documented *where* one is supposed to have a look at=20 before putting hands on rc.conf :-O However, you are quite right: this is NOT very visible and might=20 mislead people. An additional note in LINT and/or in=20 /etc/defaults/rc.conf should put things right. I have yet to understand what difference (efficience ? Type and level=20 of action ?), if any, there is between these options and the ipfw=20 firewall rules performing analogous functions (ie deny [...] tcpflags=20 ) ... RTFM, RTFM, RTFM (myself, this time) :-)=20 =20 Best regards, Salvo =20 =20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message