diff options
Diffstat (limited to 'sys/i386/conf/LINT')
-rw-r--r-- | sys/i386/conf/LINT | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT index 12f4c2b..1af39e1 100644 --- a/sys/i386/conf/LINT +++ b/sys/i386/conf/LINT @@ -469,6 +469,20 @@ options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding options TCPDEBUG +# The following options add sysctl variables for controlling how certain +# TCP packets are handled. +# +# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. +# This is useful on systems which are exposed to SYN floods (e.g. IRC servers) +# or any system which one does not want to be easily portscannable. +# +# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This +# prevents nmap et al. from identifying the TCP/IP stack, but breaks support +# for RFC1644 extensions and is not recommended for web servers. +# +options TCP_RESTRICT_RST #restrict emission of TCP RST +options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN + # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. |