Date: Tue, 16 Jan 2001 03:30:41 -0500 From: "Dennis Jun" <dennisjun@home.com> To: "Pavol Adamec" <pavol_adamec@tempest.sk> Cc: <freebsd-questions@freebsd.org> Subject: Re: TCP_DROP_SYNFIN doesn't work? Message-ID: <00bb01c07f96$9cd7bc60$0300a8c0@wilma> References: <004a01c07f90$29bcef80$0300a8c0@wilma> <3A63FFF9.8E64A6AA@tempest.sk> <007901c07f93$9fea33e0$0300a8c0@wilma> <3A6402C6.98E6EDE@tempest.sk> <009101c07f95$ca3501a0$0300a8c0@wilma>
next in thread | previous in thread | raw e-mail | index | archive | help
Ahh nm, I just remembered, use sysctl. Thanx for your help! ----- Original Message ----- From: "Dennis Jun" <dennisjun@home.com> To: "Pavol Adamec" <pavol_adamec@tempest.sk> Cc: <freebsd-questions@FreeBSD.ORG> Sent: Tuesday, January 16, 2001 3:21 AM Subject: Re: TCP_DROP_SYNFIN doesn't work? > Damn! I didn't realise I had to enable that in rc.conf. Hah! Now how would > I implement this change without actually rebooting the whole box? or > dropping to single user mode and going back to multi? > > > ----- Original Message ----- > From: "Pavol Adamec" <pavol_adamec@tempest.sk> > To: "Dennis Jun" <dennisjun@home.com> > Cc: <freebsd-questions@freebsd.org> > Sent: Tuesday, January 16, 2001 3:13 AM > Subject: Re: TCP_DROP_SYNFIN doesn't work? > > > > You also add > > > > tcp_drop_synfin="YES" > > > > to your /etc/rc.conf because default setting from /etc/defaults/rc.conf > > is > > > > tcp_drop_synfin="NO" # Set to YES to drop TCP packets with > > SYN+FIN > > > > Paul > > > > Dennis Jun wrote: > > > > > > I have also implemented TCP_RESTRICT_RST as well. > > > > > > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. > This > > > # prevents nmap et al. from identifying the TCP/IP stack,... > > > > > > That is from LINT. Thus the reason for my question. My friend just > > > upgraded his Linux kernel to 2.4.0 with the same option and it works > for > > > him. Thus I'm suspecting I'm doing something wrong but I wanted to > know if > > > others had this problem as well. > > > > > > ----- Original Message ----- > > > From: "Pavol Adamec" <pavol_adamec@tempest.sk> > > > To: "Dennis Jun" <dennisjun@home.com> > > > Cc: <freebsd-questions@FreeBSD.ORG>; <freebsd-security@FreeBSD.ORG> > > > Sent: Tuesday, January 16, 2001 3:02 AM > > > Subject: Re: TCP_DROP_SYNFIN > > > > > > > I'm not sure what you excatly ment by that but: > > > > > > > > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and > > > > FIN flags set. nmap -sS is a "half-open scan" - it send packets > > > > with only SYN flag set. > > > > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN > > > > packets to non-listening ports. > > > > > > > > Paul > > > > > > > > Dennis Jun wrote: > > > > > > > > > > I have compiled this option in my kernel on 3 differents FreeBSD > boxes > > > > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't > work > > > all > > > > > the time. Specifically with this scan nmap -v -O -sS . Is it > just me > > > or > > > > > does this not work for other people as well? > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > Dennis Jun wrote: > > > > > > > > > > I have compiled this option in my kernel on 3 differents FreeBSD > boxes > > > > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't > work > > > all > > > > > the time. Specifically with this scan nmap -v -O -sS . Is it > just me > > > or > > > > > does this not work for other people as well? > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00bb01c07f96$9cd7bc60$0300a8c0>