From 19e7731a48a4eb97e3756995fb2a8094f13594e6 Mon Sep 17 00:00:00 2001 From: des Date: Sun, 12 Sep 1999 17:22:08 +0000 Subject: Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctl variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel options, respectively. See the comments in LINT for details. --- etc/defaults/rc.conf | 3 +++ etc/network.subr | 10 ++++++++++ etc/rc.d/netoptions | 10 ++++++++++ etc/rc.d/network1 | 10 ++++++++++ etc/rc.d/network2 | 10 ++++++++++ etc/rc.d/network3 | 10 ++++++++++ etc/rc.d/routing | 10 ++++++++++ etc/rc.network | 10 ++++++++++ 8 files changed, 73 insertions(+) (limited to 'etc') diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 9bc1a75..b62f6f9 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -49,6 +49,9 @@ natd_flags="" # Additional flags for natd. tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). +tcp_restrict_rst="NO" # Set to YES to restrict emission of RST +tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN + # NOTE: this breaks rfc1644 extensions (T/TCP) icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). diff --git a/etc/network.subr b/etc/network.subr index d132525..781c73f 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -229,6 +229,16 @@ network_pass1() { sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index d132525..781c73f 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -229,6 +229,16 @@ network_pass1() { sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index d132525..781c73f 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -229,6 +229,16 @@ network_pass1() { sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index d132525..781c73f 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -229,6 +229,16 @@ network_pass1() { sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index d132525..781c73f 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -229,6 +229,16 @@ network_pass1() { sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null diff --git a/etc/rc.d/routing b/etc/rc.d/routing index d132525..781c73f 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -229,6 +229,16 @@ network_pass1() { sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null diff --git a/etc/rc.network b/etc/rc.network index d132525..781c73f 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -229,6 +229,16 @@ network_pass1() { sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null fi + if [ "X$tcp_restrict_rst" = X"YES" ]; then + echo -n ' restrict TCP reset=YES' + sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null + fi + + if [ "X$tcp_drop_synfin" = X"YES" ]; then + echo -n ' drop SYN+FIN packets=YES' + sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null + fi + if [ "${ipxgateway_enable}" = "YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null -- cgit v1.1