On Wed, Dec 19, 2001 at 05:33:13PM +0200, Ruslan Ermilov wrote: > On Wed, Dec 19, 2001 at 06:19:29PM +0300, Yar Tikhiy wrote: > > > > I ran into an absolutely clear, but year-old PR pointing out that > > a router in the IPSTEALTH mode will reveal itself when processing > > IP options: kern/23123. > > > > The fix proposed seems clean and right to me: don't do IP options > > at all when in the IPSTEALTH mode. Does anyone have objections? > > If no, I'll commit the fix. > > > What if the packet is directed to us? I think we should still > process options in this case, and the patch in the PR doesn't > seem to do it.
Good point! Indeed, just ignoring IP options would let a third party to identify a FreeBSD host as a stealthy router. I think it's safe to move doing IP options to after identifying an IP packet as destined for this or another host. I'll make a patch and show it here. > <PS> > I was going to replace IPSTEALTH functionality with the > net.inet.ip.decttl knob. Setting it to 0 would match the > IPSTEALTH behavior, the default value will be 1. > </PS> In fact, IPSTEALTH does already have a sysctl knob: net.inet.ip.stealth, which is initially zero (i.e. don't be stealthy.) To my mind, the "stealth" name fits its purpose better since just leaving TTL untouched is insufficient for a router to achieve really stealthy behaviour. -- Yar To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
