Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctl

variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel
options, respectively. See the comments in LINT for details.

2 files changed, 16 insertions, 0 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 12f4c2b..1af39e1 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -469,6 +469,20 @@ options 	IPFILTER_LOG		#ipfilter logging
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 
+# The following options add sysctl variables for controlling how certain
+# TCP packets are handled.
+# 
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
+# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
+# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
+# for RFC1644 extensions and is not recommended for web servers.
+# 
+options		TCP_RESTRICT_RST	#restrict emission of TCP RST
+options		TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from
 # D.O.S. packet attacks.
diff --git a/sys/conf/options b/sys/conf/options
index 8eb062f..c7458ad 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -228,6 +228,8 @@ PPP_FILTER		opt_ppp.h
 SLIP_IFF_OPTS		opt_slip.h
 TCP_COMPAT_42		opt_compat.h
 TCPDEBUG
+TCP_RESTRICT_RST	opt_tcp_input.h
+TCP_DROP_SYNFIN		opt_tcp_input.h
 
 # ATM (HARP version)
 ATM_CORE		opt_atm.h