diff options
| author | des <des@FreeBSD.org> | 2001-03-19 22:03:11 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2001-03-19 22:03:11 +0000 |
| commit | d0f798c1511603114cebeb179c36e5b22f827f1b (patch) | |
| tree | f1aee84c165162c8b0a65be0715f9ddf03d6f837 | |
| parent | 8b5320d4a50d269676d4e8c75120d565a3fc2dcc (diff) | |
| download | FreeBSD-src-d0f798c1511603114cebeb179c36e5b22f827f1b.zip FreeBSD-src-d0f798c1511603114cebeb179c36e5b22f827f1b.tar.gz | |
Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few
very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.
(first of three commits)
| -rw-r--r-- | sys/conf/NOTES | 8 | ||||
| -rw-r--r-- | sys/conf/options | 1 | ||||
| -rw-r--r-- | sys/i386/conf/NOTES | 8 |
3 files changed, 0 insertions, 17 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 52f32ed..6dd2f65 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -590,19 +590,11 @@ options TCPDEBUG options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP -# The following options add sysctl variables for controlling how certain -# TCP packets are handled. -# # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # -# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. -# This is useful on systems which are exposed to SYN floods (e.g. IRC servers) -# or any system which one does not want to be easily portscannable. -# options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN -options TCP_RESTRICT_RST #restrict emission of TCP RST # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. diff --git a/sys/conf/options b/sys/conf/options index e848c50..0878dad 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -278,7 +278,6 @@ SLIP_IFF_OPTS opt_slip.h TCP_COMPAT_42 opt_compat.h TCPDEBUG TCP_DROP_SYNFIN opt_tcp_input.h -TCP_RESTRICT_RST opt_tcp_input.h XBONEHACK # Netgraph(4). Use option NETGRAPH to enable the base netgraph code. diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES index 52f32ed..6dd2f65 100644 --- a/sys/i386/conf/NOTES +++ b/sys/i386/conf/NOTES @@ -590,19 +590,11 @@ options TCPDEBUG options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP -# The following options add sysctl variables for controlling how certain -# TCP packets are handled. -# # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # -# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. -# This is useful on systems which are exposed to SYN floods (e.g. IRC servers) -# or any system which one does not want to be easily portscannable. -# options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN -options TCP_RESTRICT_RST #restrict emission of TCP RST # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. |
