diff options
| author | des <des@FreeBSD.org> | 2001-03-19 22:07:32 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2001-03-19 22:07:32 +0000 |
| commit | 097a9d6bae16257ca039fa6a77f1c9a2b8adbc26 (patch) | |
| tree | b237d1b327a05d1bbf33edfc981119f3994f77ef | |
| parent | d0f798c1511603114cebeb179c36e5b22f827f1b (diff) | |
| download | FreeBSD-src-097a9d6bae16257ca039fa6a77f1c9a2b8adbc26.zip FreeBSD-src-097a9d6bae16257ca039fa6a77f1c9a2b8adbc26.tar.gz | |
Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few
very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.
(second of three commits)
| -rw-r--r-- | etc/defaults/rc.conf | 1 | ||||
| -rw-r--r-- | etc/network.subr | 7 | ||||
| -rw-r--r-- | etc/rc.d/netoptions | 7 | ||||
| -rw-r--r-- | etc/rc.d/network1 | 7 | ||||
| -rw-r--r-- | etc/rc.d/network2 | 7 | ||||
| -rw-r--r-- | etc/rc.d/network3 | 7 | ||||
| -rw-r--r-- | etc/rc.d/routing | 7 | ||||
| -rw-r--r-- | etc/rc.network | 7 | ||||
| -rw-r--r-- | share/man/man5/rc.conf.5 | 8 |
9 files changed, 0 insertions, 58 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index d05dc77..27e274f 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -79,7 +79,6 @@ tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). # TCP_RESTRICT_RST set in your kernel. Please refer to LINT for details. tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification -tcp_restrict_rst="NO" # Set to YES to restrict emission of RST icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). diff --git a/etc/network.subr b/etc/network.subr index c1ffb37..fbe8bf3 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index c1ffb37..fbe8bf3 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index c1ffb37..fbe8bf3 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index c1ffb37..fbe8bf3 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index c1ffb37..fbe8bf3 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/routing b/etc/rc.d/routing index c1ffb37..fbe8bf3 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.network b/etc/rc.network index c1ffb37..fbe8bf3 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 76ec46a..cc86830 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -470,14 +470,6 @@ This prevents OS fingerprinting, but may break some legitimate applications. This option is only available if the kernel was built with the TCP_DROP_SYNFIN option. -.It Ar tcp_restrict_rst -(bool) Set to -.Ar NO -by default. -Setting to YES will cause the kernel to refrain from emitting TCP RST frames -in response to invalid TCP packets (e.g. frames destined for closed ports). -This option is only available if the kernel was built with the -TCP_RESTRICT_RST option. .It Ar icmp_drop_redirect (bool) Set to .Ar NO |
