Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few
very specific scenarios, and now that we have had net.inet.tcp.blackhole for quite some time there is really no reason to use it any more. (first of three commits)
This commit is contained in:
Dag-Erling Smørgrav
parent
6371776c8e
commit
11b876c98e
@ -590,19 +590,11 @@ options TCPDEBUG
|
||||
options ACCEPT_FILTER_DATA
|
||||
options ACCEPT_FILTER_HTTP
|
||||
|
||||
# The following options add sysctl variables for controlling how certain
|
||||
# TCP packets are handled.
|
||||
#
|
||||
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
|
||||
# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
|
||||
# for RFC1644 extensions and is not recommended for web servers.
|
||||
#
|
||||
# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
|
||||
# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
|
||||
# or any system which one does not want to be easily portscannable.
|
||||
#
|
||||
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
|
||||
options TCP_RESTRICT_RST #restrict emission of TCP RST
|
||||
|
||||
# DUMMYNET enables the "dummynet" bandwidth limiter. You need
|
||||
# IPFIREWALL as well. See the dummynet(4) manpage for more info.
|
||||
|
||||
@ -278,7 +278,6 @@ SLIP_IFF_OPTS opt_slip.h
|
||||
TCP_COMPAT_42 opt_compat.h
|
||||
TCPDEBUG
|
||||
TCP_DROP_SYNFIN opt_tcp_input.h
|
||||
TCP_RESTRICT_RST opt_tcp_input.h
|
||||
XBONEHACK
|
||||
|
||||
# Netgraph(4). Use option NETGRAPH to enable the base netgraph code.
|
||||
|
||||
@ -590,19 +590,11 @@ options TCPDEBUG
|
||||
options ACCEPT_FILTER_DATA
|
||||
options ACCEPT_FILTER_HTTP
|
||||
|
||||
# The following options add sysctl variables for controlling how certain
|
||||
# TCP packets are handled.
|
||||
#
|
||||
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
|
||||
# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
|
||||
# for RFC1644 extensions and is not recommended for web servers.
|
||||
#
|
||||
# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
|
||||
# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
|
||||
# or any system which one does not want to be easily portscannable.
|
||||
#
|
||||
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
|
||||
options TCP_RESTRICT_RST #restrict emission of TCP RST
|
||||
|
||||
# DUMMYNET enables the "dummynet" bandwidth limiter. You need
|
||||
# IPFIREWALL as well. See the dummynet(4) manpage for more info.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user