Date: Fri, 13 Oct 2000 13:33:23 -0400 (EDT) From: Ben Eisenbraun <bpeisenbraun@yahoo.com> To: "Ivan S. Anisimov" <ivan@itp.ac.ru> Cc: questions@freebsd.org Subject: Re: how to stop being scanned by nmap? Message-ID: <Pine.BSF.4.21.0010131331040.81138-100000@spring.thepond.com> In-Reply-To: <39E73274.FFABE7AC@itp.ac.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 Oct 2000, Ivan S. Anisimov wrote: > I saw somewhere an undocumented option in kernel config that > somehow refuses SYN & ACK requests that prevents software From /usr/src/sys/i386/conf/LINT : # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. # This is useful on systems which are exposed to SYN floods (e.g. IRC servers) # or any system which one does not want to be easily portscannable. options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST Looks documented to me. :-) -ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010131331040.81138-100000>