Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few

very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.

(first of three commits)

1 files changed, 0 insertions, 8 deletions

diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES
index 52f32ed..6dd2f65 100644
--- a/sys/i386/conf/NOTES
+++ b/sys/i386/conf/NOTES
@@ -590,19 +590,11 @@ options 	TCPDEBUG
 options		ACCEPT_FILTER_DATA
 options		ACCEPT_FILTER_HTTP
 
-# The following options add sysctl variables for controlling how certain
-# TCP packets are handled.
-#
 # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
 # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
 # for RFC1644 extensions and is not recommended for web servers.
 #
-# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
-# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
-# or any system which one does not want to be easily portscannable.
-#
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
-options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
 # DUMMYNET enables the "dummynet" bandwidth limiter. You need
 # IPFIREWALL as well. See the dummynet(4) manpage for more info.