14 files changed, 175 insertions, 0 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 9bc1a75..b62f6f9 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -49,6 +49,9 @@ natd_flags=""                   # Additional flags for natd.
 tcp_extensions="NO"		# Set to YES to turn on RFC1323 extensions.
 log_in_vain="NO"		# YES to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
+tcp_restrict_rst="NO"		# Set to YES to restrict emission of RST
+tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
+				# NOTE: this breaks rfc1644 extensions (T/TCP)
 icmp_drop_redirect="NO"		# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
diff --git a/etc/network.subr b/etc/network.subr
index d132525..781c73f 100644
--- a/etc/network.subr
+++ b/etc/network.subr
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions
index d132525..781c73f 100644
--- a/etc/rc.d/netoptions
+++ b/etc/rc.d/netoptions
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/network1 b/etc/rc.d/network1
index d132525..781c73f 100644
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/network2 b/etc/rc.d/network2
index d132525..781c73f 100644
--- a/etc/rc.d/network2
+++ b/etc/rc.d/network2
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/network3 b/etc/rc.d/network3
index d132525..781c73f 100644
--- a/etc/rc.d/network3
+++ b/etc/rc.d/network3
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/routing b/etc/rc.d/routing
index d132525..781c73f 100644
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.network b/etc/rc.network
index d132525..781c73f 100644
--- a/etc/rc.network
+++ b/etc/rc.network
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 12f4c2b..1af39e1 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -469,6 +469,20 @@ options 	IPFILTER_LOG		#ipfilter logging
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 
+# The following options add sysctl variables for controlling how certain
+# TCP packets are handled.
+# 
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
+# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
+# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
+# for RFC1644 extensions and is not recommended for web servers.
+# 
+options		TCP_RESTRICT_RST	#restrict emission of TCP RST
+options		TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from
 # D.O.S. packet attacks.
diff --git a/sys/conf/options b/sys/conf/options
index 8eb062f..c7458ad 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -228,6 +228,8 @@ PPP_FILTER		opt_ppp.h
 SLIP_IFF_OPTS		opt_slip.h
 TCP_COMPAT_42		opt_compat.h
 TCPDEBUG
+TCP_RESTRICT_RST	opt_tcp_input.h
+TCP_DROP_SYNFIN		opt_tcp_input.h
 
 # ATM (HARP version)
 ATM_CORE		opt_atm.h
diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT
index 12f4c2b..1af39e1 100644
--- a/sys/i386/conf/LINT
+++ b/sys/i386/conf/LINT
@@ -469,6 +469,20 @@ options 	IPFILTER_LOG		#ipfilter logging
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 
+# The following options add sysctl variables for controlling how certain
+# TCP packets are handled.
+# 
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
+# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
+# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
+# for RFC1644 extensions and is not recommended for web servers.
+# 
+options		TCP_RESTRICT_RST	#restrict emission of TCP RST
+options		TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from
 # D.O.S. packet attacks.
diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES
index 12f4c2b..1af39e1 100644
--- a/sys/i386/conf/NOTES
+++ b/sys/i386/conf/NOTES
@@ -469,6 +469,20 @@ options 	IPFILTER_LOG		#ipfilter logging
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 
+# The following options add sysctl variables for controlling how certain
+# TCP packets are handled.
+# 
+# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
+# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
+# or any system which one does not want to be easily portscannable.
+# 
+# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
+# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
+# for RFC1644 extensions and is not recommended for web servers.
+# 
+options		TCP_RESTRICT_RST	#restrict emission of TCP RST
+options		TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
+
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You
 # typically want this option as it will help protect the machine from
 # D.O.S. packet attacks.
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 53034ff..7fa0da2 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -36,6 +36,7 @@
 
 #include "opt_ipfw.h"		/* for ipfw_fwd		*/
 #include "opt_tcpdebug.h"
+#include "opt_tcp_input.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -93,6 +94,18 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
     &tcp_delack_enabled, 0, 
     "Delay ACK to try and piggyback it onto a data packet");
 
+#ifdef TCP_RESTRICT_RST
+static int restrict_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW,
+    &restrict_rst, 0, "Restrict RST emission");
+#endif
+
+#ifdef TCP_DROP_SYNFIN
+static int drop_synfin = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
+    &drop_synfin, 0, "Drop TCP packets with FIN+ACK set");
+#endif
+
 struct inpcbhead tcb;
 struct inpcbinfo tcbinfo;
 
@@ -340,6 +353,18 @@ tcp_input(m, iphlen)
 	}
 	tiflags = ti->ti_flags;
 
+#ifdef TCP_DROP_SYNFIN
+	/*
+	 * If the drop_synfin option is enabled, drop all packets with
+	 * both the SYN and FIN bits set. This prevents e.g. nmap from
+	 * identifying the TCP/IP stack.
+	 *
+	 * This is incompatible with RFC1644 extensions (T/TCP).
+	 */
+	if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
+		goto drop;
+#endif
+
 	/*
 	 * Convert TCP protocol specific fields to host format.
 	 */
@@ -1849,6 +1874,10 @@ dropafterack:
 	return;
 
 dropwithreset:
+#ifdef TCP_RESTRICT_RST
+	if (restrict_rst)
+		goto drop;
+#endif
 	/*
 	 * Generate a RST, dropping incoming segment.
 	 * Make ACK acceptable to originator of segment.
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 53034ff..7fa0da2 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -36,6 +36,7 @@
 
 #include "opt_ipfw.h"		/* for ipfw_fwd		*/
 #include "opt_tcpdebug.h"
+#include "opt_tcp_input.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -93,6 +94,18 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
     &tcp_delack_enabled, 0, 
     "Delay ACK to try and piggyback it onto a data packet");
 
+#ifdef TCP_RESTRICT_RST
+static int restrict_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW,
+    &restrict_rst, 0, "Restrict RST emission");
+#endif
+
+#ifdef TCP_DROP_SYNFIN
+static int drop_synfin = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
+    &drop_synfin, 0, "Drop TCP packets with FIN+ACK set");
+#endif
+
 struct inpcbhead tcb;
 struct inpcbinfo tcbinfo;
 
@@ -340,6 +353,18 @@ tcp_input(m, iphlen)
 	}
 	tiflags = ti->ti_flags;
 
+#ifdef TCP_DROP_SYNFIN
+	/*
+	 * If the drop_synfin option is enabled, drop all packets with
+	 * both the SYN and FIN bits set. This prevents e.g. nmap from
+	 * identifying the TCP/IP stack.
+	 *
+	 * This is incompatible with RFC1644 extensions (T/TCP).
+	 */
+	if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
+		goto drop;
+#endif
+
 	/*
 	 * Convert TCP protocol specific fields to host format.
 	 */
@@ -1849,6 +1874,10 @@ dropafterack:
 	return;
 
 dropwithreset:
+#ifdef TCP_RESTRICT_RST
+	if (restrict_rst)
+		goto drop;
+#endif
 	/*
 	 * Generate a RST, dropping incoming segment.
 	 * Make ACK acceptable to originator of segment.