TCP RST handling in 6.0
Mike Silbersack
silby at silby.com
Tue Nov 8 11:23:48 PST 2005
On Tue, 8 Nov 2005, Lars Eggert wrote:
> Thus, I'd like to suggest that the default for net.inet.tcp.insecure_rst be
> zero for now. AFAIK, any other TCP mod came disabled be default in the past,
> too.
>
> Lars
I'm open to discussing the change. I plan to revisit that and the SYN
causing a connection reset issue after eurobsdcon.
However, I'm open to clubbing you over the head for not saying anything
throughout the entire 6.0 release cycle and requesting the change AFTER
THE RELEASE HAS SHIPPED. Since 6.0 shipped with this feature on, I don't
think we should flip the setting back to off until a good reason has been
given.
While we're on the subject of potential problems, I'd like to throw out an
idea. What would people think of a "log perhaps somewhat in vain" option
(turned on by default) that logged unusual looking packets to
/var/log/ip.log - but did it in a ratelimited fashion, so that it would
not be possible for attackers to chew up disk space. This would of
course get written to during an attack, but it would also log legitimate
cases, such as where a RST blocked by this setting came in. This could
also be used to tell if future changes cause additional incompatibilities.
Such a feature wouldn't cause performance problems, but I could see there
being privacy concerns. If the log was only root readable, what would
people think? Remember that I'm talking only about logging "odd" packets,
and only their TCP/IP flags and fields, not the data contents.
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list