SYN scans and ipfw/kernel options

[Graham Anderson]

I'm looking for advice on some options to help against SYN and other stealth
scans.

Ive compiled my kernel with TCP_DROP_SYNFIN option but have read that
enabling this with tcp_drop_synfin=YES in rc.conf may not be the best thing
to do if I want to use httpd. What are the problems with using
tcp_drop_synfin=YES on a web server? Will it break anything or is this
simply non RFC compliant?

Also does this simply drop packets with both SIN+FIN or either of them?

Also trying to config a kernel with TCP_RESTRICT_RST fails as an unknown
option. Like ICMP_BANDLIM Is this enabled by default on CURRENT?

If I shouldn't use tcp_drop_synfin=YES in rc.conf on a web server what rule
would be suitable for dropping SYN packets in my ipfw ruleset?

Cheers

Graham

----------------------
Graham Anderson
Dundee University Students Association
DUSA
Airlie Place
Dundee
DD1 4HP
01382 223084
----------------------
 
This e-mail and any files transmitted with it are private and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended recipient, the e-mail and any files have been
transmitted to you in error and any copying, distribution or other use of
the information contained in them is strictly prohibited. If you have
received this e-mail in error, please advise us immediately.
 
Nothing in this e-mail message amounts to a contractual or other legal
commitment on the part of DUSA unless confirmed by a communication signed on
behalf of DUSA by an authorised signatory. Please note that it is a
disciplinary offence for any employee or representative of DUSA to download
any offensive, lewd, racist, libidinous or immoral material.