system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-09-21 09:13:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Slight tweak to tcp.blackhole to add optional behaviour to

Browse source 
drop any segment arriving at a closed port.
tcp.blackhole=1 - only drop SYN without RST
tcp.blackhole=2 - drop everything without RST
tcp.blackhole=0 - always send RST - default behaviour

This confuses nmap -sF or -sX or -sN quite badly.
This commit is contained in:
Geoff Rehmet 1999-08-18 15:40:05 +00:00
parent 62d50f2278
commit 2e4e1b4c31
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=50015
2 changed files with 52 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
sys/netinet/tcp_input.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_input.c 8.12 (Berkeley) 5/24/95
* $Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $
* $Id: tcp_input.c,v 1.88 1999/08/17 12:17:52 csgr Exp $
*/
#include "opt_ipfw.h" /* for ipfw_fwd */
@ -395,22 +395,39 @@ tcp_input(m, iphlen)
* but should either do a listen or a connect soon.
*/
if (inp == NULL) {
if (log_in_vain && tiflags & TH_SYN) {
if (log_in_vain) {
char buf[4*sizeof "123"];
strcpy(buf, inet_ntoa(ti->ti_dst));
log(LOG_INFO,
"Connection attempt to TCP %s:%d from %s:%d\n",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport));
switch (log_in_vain) {
case 1:
if(tiflags & TH_SYN)
log(LOG_INFO,
"Connection attempt to TCP %s:%d from %s:%d\n",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport));
break;
case 2:
log(LOG_INFO,
"Connection attempt to TCP %s:%d from %s:%d flags:0x%x\n",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport), tiflags);
break;
default:
break;
}
}
#ifdef ICMP_BANDLIM
if (badport_bandlim(1) < 0)
goto drop;
#endif
if(blackhole && tiflags & TH_SYN)
goto drop;
else
if(blackhole) {
switch (blackhole) {
case 1: if(tiflags & TH_SYN) goto drop;
case 2: goto drop ;
default : goto drop ;
}
} else
goto dropwithreset;
}
tp = intotcpcb(inp);

35
sys/netinet/tcp_reass.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_input.c 8.12 (Berkeley) 5/24/95
* $Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $
* $Id: tcp_input.c,v 1.88 1999/08/17 12:17:52 csgr Exp $
*/
#include "opt_ipfw.h" /* for ipfw_fwd */
@ -395,22 +395,39 @@ tcp_input(m, iphlen)
* but should either do a listen or a connect soon.
*/
if (inp == NULL) {
if (log_in_vain && tiflags & TH_SYN) {
if (log_in_vain) {
char buf[4*sizeof "123"];
strcpy(buf, inet_ntoa(ti->ti_dst));
log(LOG_INFO,
"Connection attempt to TCP %s:%d from %s:%d\n",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport));
switch (log_in_vain) {
case 1:
if(tiflags & TH_SYN)
log(LOG_INFO,
"Connection attempt to TCP %s:%d from %s:%d\n",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport));
break;
case 2:
log(LOG_INFO,
"Connection attempt to TCP %s:%d from %s:%d flags:0x%x\n",
buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
ntohs(ti->ti_sport), tiflags);
break;
default:
break;
}
}
#ifdef ICMP_BANDLIM
if (badport_bandlim(1) < 0)
goto drop;
#endif
if(blackhole && tiflags & TH_SYN)
goto drop;
else
if(blackhole) {
switch (blackhole) {
case 1: if(tiflags & TH_SYN) goto drop;
case 2: goto drop ;
default : goto drop ;
}
} else
goto dropwithreset;
}
tp = intotcpcb(inp);