From 4d628082ace71f3ad6b9c8b7679ffc8f8f50065c Mon Sep 17 00:00:00 2001 From: des Date: Mon, 13 Sep 1999 09:18:31 +0000 Subject: Document tcp_keepalive, tcp_drop_synfin, tcp_restrict_rst, icmp_drop_redirect and icmp_log_redirect. --- share/man/man5/rc.conf.5 | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index f37dee6..274e401 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -213,6 +213,40 @@ to be broken with respect to these options. by default. Setting to YES will enable logging of connection attempts to ports that have no listening socket on them. +.It Ar tcp_keepalive +(bool) Set to +.Ar YES +by default. +Setting to NO will disable probing idle TCP connections to verify that the +peer is still up and reachable. +.It Ar tcp_drop_synfin +(bool) Set to +.Ar NO +by default. +Setting to YES will cause the kernel to ignore TCP frames that have both +the SYN and FIN flags set. This prevents OS fingerprinting, but may +break some legitimate applications. This option is only available if the +kernel was built with the TCP_DROP_SYNFIN option. +.It Ar tcp_restrict_rst +(bool) Set to +.Ar NO +by default. +Setting to YES will cause the kernel to refrain from emitting TCP RST frames +in response to invalid TCP packets (e.g. frames destined for closed ports). +This option is only available if the kernel was built with the +TCP_RESTRICT_RST option. +.It Ar icmp_drop_redirect +(bool) Set to +.Ar NO +by default. +Setting to YES will cause the kernel to ignore ICMP REDIRECT packets. +.It Ar icmp_log_redirect +(bool) Set to +.Ar NO +by default. +Setting to YES will cause the kernel to log ICMP REDIRECT packets. Not that +the log messages are not rate-limited, so this option should only be used +for troubleshooting your own network. .It Ar network_interfaces (str) Set to the list of network interfaces to configure on this host. For example, if you had a loopback device (standard) and an SMC Elite -- cgit v1.1