diff options
Diffstat (limited to 'sys/conf')
| -rw-r--r-- | sys/conf/NOTES | 14 | ||||
| -rw-r--r-- | sys/conf/options | 2 |
2 files changed, 16 insertions, 0 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 12f4c2b..1af39e1 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -469,6 +469,20 @@ options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding options TCPDEBUG +# The following options add sysctl variables for controlling how certain +# TCP packets are handled. +# +# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. +# This is useful on systems which are exposed to SYN floods (e.g. IRC servers) +# or any system which one does not want to be easily portscannable. +# +# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This +# prevents nmap et al. from identifying the TCP/IP stack, but breaks support +# for RFC1644 extensions and is not recommended for web servers. +# +options TCP_RESTRICT_RST #restrict emission of TCP RST +options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN + # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. diff --git a/sys/conf/options b/sys/conf/options index 8eb062f..c7458ad 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -228,6 +228,8 @@ PPP_FILTER opt_ppp.h SLIP_IFF_OPTS opt_slip.h TCP_COMPAT_42 opt_compat.h TCPDEBUG +TCP_RESTRICT_RST opt_tcp_input.h +TCP_DROP_SYNFIN opt_tcp_input.h # ATM (HARP version) ATM_CORE opt_atm.h |
