diff -urP linux-2.4.19/Documentation/Configure.help linux-2.4.19/Documentation/Configure.help --- linux-2.4.19/Documentation/Configure.help Fri Aug 2 20:39:42 2002 +++ linux-2.4.19/Documentation/Configure.help Wed Aug 28 21:15:14 2002 @@ -2926,6 +2926,24 @@ If unsure, say N. +IP: TCP stack options +CONFIG_NET_STEALTH + If you say Y here, note that these options are now enabled by + default; you can disable them by executing the commands + + echo 0 >/proc/sys/net/ipv4/tcp_ignore_ack + echo 0 >/proc/sys/net/ipv4/tcp_ignore_bogus + echo 0 >/proc/sys/net/ipv4/tcp_ignore_synfin + + at boot time after the /proc file system has been mounted. + + If security is more important, say Y. + +Log all droped packets +CONFIG_NET_STEALTH_LOG + This turns on a logging facility that logs all tcp packets with + bad flags. If you said Y to "TCP stack options", say Y. + # Choice: alphatype Alpha system type CONFIG_ALPHA_GENERIC diff -urP linux-2.4.19/Makefile linux-2.4.19/Makefile --- linux-2.4.19/Makefile Fri Aug 2 20:39:46 2002 +++ linux-2.4.19/Makefile Wed Aug 28 21:14:23 2002 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 19 -EXTRAVERSION = +EXTRAVERSION = -stealth KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION) diff -urP linux-2.4.19/arch/alpha/defconfig linux-2.4.19/arch/alpha/defconfig --- linux-2.4.19/arch/alpha/defconfig Mon Nov 19 18:19:42 2001 +++ linux-2.4.19/arch/alpha/defconfig Wed Aug 28 21:15:00 2002 @@ -135,6 +135,8 @@ # CONFIG_IP_MROUTE is not set CONFIG_INET_ECN=y # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y # # IP: Netfilter Configuration diff -urP linux-2.4.19/arch/arm/defconfig linux-2.4.19/arch/arm/defconfig --- linux-2.4.19/arch/arm/defconfig Sat May 19 20:43:05 2001 +++ linux-2.4.19/arch/arm/defconfig Wed Aug 28 21:15:10 2002 @@ -180,6 +180,8 @@ # CONFIG_NET_IPGRE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y # CONFIG_IPV6 is not set # CONFIG_KHTTPD is not set # CONFIG_ATM is not set diff -urP linux-2.4.19/arch/cris/defconfig linux-2.4.19/arch/cris/defconfig --- linux-2.4.19/arch/cris/defconfig Fri Aug 2 20:39:42 2002 +++ linux-2.4.19/arch/cris/defconfig Wed Aug 28 21:15:13 2002 @@ -218,6 +218,8 @@ # CONFIG_NET_IPGRE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y # CONFIG_IPV6 is not set # CONFIG_KHTTPD is not set # CONFIG_ATM is not set diff -urP linux-2.4.19/arch/i386/defconfig linux-2.4.19/arch/i386/defconfig --- linux-2.4.19/arch/i386/defconfig Fri Aug 2 20:39:42 2002 +++ linux-2.4.19/arch/i386/defconfig Wed Aug 28 21:14:59 2002 @@ -172,6 +172,8 @@ # CONFIG_IP_MROUTE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y # CONFIG_VLAN_8021Q is not set # diff -urP linux-2.4.19/arch/ia64/defconfig linux-2.4.19/arch/ia64/defconfig --- linux-2.4.19/arch/ia64/defconfig Fri Aug 2 20:39:42 2002 +++ linux-2.4.19/arch/ia64/defconfig Wed Aug 28 21:15:11 2002 @@ -92,6 +92,8 @@ # CONFIG_NET_IPGRE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y # CONFIG_IPV6 is not set # CONFIG_KHTTPD is not set # CONFIG_ATM is not set diff -urP linux-2.4.19/arch/m68k/defconfig linux-2.4.19/arch/m68k/defconfig --- linux-2.4.19/arch/m68k/defconfig Mon Jun 19 15:56:08 2000 +++ linux-2.4.19/arch/m68k/defconfig Wed Aug 28 21:15:06 2002 @@ -91,6 +91,8 @@ # CONFIG_NET_IPGRE is not set # CONFIG_IP_ALIAS is not set # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y # # (it is safe to leave these untouched) diff -urP linux-2.4.19/arch/mips/defconfig linux-2.4.19/arch/mips/defconfig --- linux-2.4.19/arch/mips/defconfig Fri Aug 2 20:39:43 2002 +++ linux-2.4.19/arch/mips/defconfig Wed Aug 28 21:15:01 2002 @@ -175,6 +175,8 @@ # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y # CONFIG_IPV6 is not set # CONFIG_KHTTPD is not set # CONFIG_ATM is not set diff -urP linux-2.4.19/arch/sparc/defconfig linux-2.4.19/arch/sparc/defconfig --- linux-2.4.19/arch/sparc/defconfig Fri Aug 2 20:39:43 2002 +++ linux-2.4.19/arch/sparc/defconfig Wed Aug 28 21:15:00 2002 @@ -152,6 +152,8 @@ # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y CONFIG_IPV6=m # CONFIG_KHTTPD is not set # CONFIG_ATM is not set diff -urP linux-2.4.19/arch/sparc64/defconfig linux-2.4.19/arch/sparc64/defconfig --- linux-2.4.19/arch/sparc64/defconfig Fri Aug 2 20:39:43 2002 +++ linux-2.4.19/arch/sparc64/defconfig Wed Aug 28 21:15:07 2002 @@ -191,6 +191,8 @@ CONFIG_ARPD=y CONFIG_INET_ECN=y # CONFIG_SYN_COOKIES is not set +CONFIG_NET_STEALTH=y +CONFIG_NET_STEALTH_LOG=y CONFIG_IPV6=m # CONFIG_KHTTPD is not set # CONFIG_ATM is not set diff -urP linux-2.4.19/include/linux/sysctl.h linux-2.4.19/include/linux/sysctl.h --- linux-2.4.19/include/linux/sysctl.h Fri Aug 2 20:39:46 2002 +++ linux-2.4.19/include/linux/sysctl.h Wed Aug 28 21:14:25 2002 @@ -291,7 +291,11 @@ NET_IPV4_NONLOCAL_BIND=88, NET_IPV4_ICMP_RATELIMIT=89, NET_IPV4_ICMP_RATEMASK=90, - NET_TCP_TW_REUSE=91 + NET_TCP_TW_REUSE=91, + NET_IPV4_IP_MASQ_UDP_DLOOSE=92, + NET_TCP_STACK_SYNFIN=93, + NET_TCP_STACK_BOGUS=94, + NET_TCP_STACK_ACK=95 }; enum { diff -urP linux-2.4.19/net/ipv4/Config.in linux-2.4.19/net/ipv4/Config.in --- linux-2.4.19/net/ipv4/Config.in Fri Dec 21 12:42:05 2001 +++ linux-2.4.19/net/ipv4/Config.in Wed Aug 28 21:14:33 2002 @@ -41,6 +41,10 @@ fi bool ' IP: TCP Explicit Congestion Notification support' CONFIG_INET_ECN bool ' IP: TCP syncookie support (disabled per default)' CONFIG_SYN_COOKIES +bool 'IP: TCP stack options (not enabled per default)' CONFIG_NET_STEALTH +if [ "$CONFIG_NET_STEALTH" = "y" ]; then + bool 'Log all droped packets' CONFIG_NET_STEALTH_LOG +fi if [ "$CONFIG_NETFILTER" != "n" ]; then source net/ipv4/netfilter/Config.in fi diff -urP linux-2.4.19/net/ipv4/sysctl_net_ipv4.c linux-2.4.19/net/ipv4/sysctl_net_ipv4.c --- linux-2.4.19/net/ipv4/sysctl_net_ipv4.c Fri Aug 2 20:39:46 2002 +++ linux-2.4.19/net/ipv4/sysctl_net_ipv4.c Wed Aug 28 21:25:33 2002 @@ -45,6 +45,11 @@ extern int inet_peer_gc_mintime; extern int inet_peer_gc_maxtime; +/* stealth stuff */ +extern int sysctl_tcp_ignore_synfin; +extern int sysctl_tcp_ignore_bogus; +extern int sysctl_tcp_ignore_ack; + #ifdef CONFIG_SYSCTL static int tcp_retr1_max = 255; static int ip_local_port_range_min[] = { 1, 1 }; @@ -153,6 +158,14 @@ {NET_TCP_SYNCOOKIES, "tcp_syncookies", &sysctl_tcp_syncookies, sizeof(int), 0644, NULL, &proc_dointvec}, #endif +#ifdef CONFIG_NET_STEALTH + {NET_TCP_STACK_SYNFIN, "tcp_ignore_synfin", + &sysctl_tcp_ignore_synfin, sizeof(int), 0644, NULL, &proc_dointvec}, + {NET_TCP_STACK_BOGUS, "tcp_ignore_bogus", + &sysctl_tcp_ignore_bogus, sizeof(int), 0644, NULL, &proc_dointvec}, + {NET_TCP_STACK_ACK, "tcp_ignore_ack", + &sysctl_tcp_ignore_ack, sizeof(int), 0644, NULL, &proc_dointvec}, +#endif {NET_TCP_TW_RECYCLE, "tcp_tw_recycle", &sysctl_tcp_tw_recycle, sizeof(int), 0644, NULL, &proc_dointvec}, {NET_TCP_ABORT_ON_OVERFLOW, "tcp_abort_on_overflow", diff -urP linux-2.4.19/net/ipv4/tcp_input.c linux-2.4.19/net/ipv4/tcp_input.c --- linux-2.4.19/net/ipv4/tcp_input.c Fri Aug 2 20:39:46 2002 +++ linux-2.4.19/net/ipv4/tcp_input.c Wed Aug 28 21:14:33 2002 @@ -72,6 +72,9 @@ int sysctl_tcp_timestamps = 1; int sysctl_tcp_window_scaling = 1; int sysctl_tcp_sack = 1; +int sysctl_tcp_ignore_synfin = 1; +int sysctl_tcp_ignore_bogus = 1; +int sysctl_tcp_ignore_ack = 1; int sysctl_tcp_fack = 1; int sysctl_tcp_reordering = TCP_FASTRETRANS_THRESH; #ifdef CONFIG_INET_ECN diff -urP linux-2.4.19/net/ipv4/tcp_ipv4.c linux-2.4.19/net/ipv4/tcp_ipv4.c --- linux-2.4.19/net/ipv4/tcp_ipv4.c Fri Aug 2 20:39:46 2002 +++ linux-2.4.19/net/ipv4/tcp_ipv4.c Wed Aug 28 21:29:04 2002 @@ -67,6 +67,10 @@ extern int sysctl_ip_default_ttl; int sysctl_tcp_tw_reuse = 0; +extern int sysctl_tcp_ignore_synfin; +extern int sysctl_tcp_ignore_bogus; +extern int sysctl_tcp_ignore_ack; + /* Check TCP sequence numbers in ICMP packets. */ #define ICMP_MIN_LENGTH 8 @@ -1738,6 +1742,21 @@ if ((skb->ip_summed != CHECKSUM_UNNECESSARY && tcp_v4_checksum_init(skb) < 0)) goto bad_packet; + + if(sysctl_tcp_ignore_synfin) { + if(th->fin && th->syn) + goto tcp_bad_flags; + } + + if(sysctl_tcp_ignore_bogus) { + if(!(th->ack || th->syn || th->rst) || th->res1) + goto tcp_bad_flags; + } + + if(sysctl_tcp_ignore_ack) { + if(th->fin && th->psh && th->urg) + goto tcp_bad_flags; + } th = skb->h.th; TCP_SKB_CB(skb)->seq = ntohl(th->seq); @@ -1775,6 +1794,31 @@ sock_put(sk); return ret; +#ifdef CONFIG_NET_STEALTH_LOG +tcp_bad_flags: + printk(KERN_INFO + "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d " + "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u " + "T=%hu %c%c%c%c%c%c%c%c%c\n", + skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source), + NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest), + ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4, + skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq), + ntohl(th->ack_seq), skb->nh.iph->ttl, + th->res1 ? '1' : '.', + th->ece ? 'E' : '.', + th->cwr ? 'C' : '.', + th->ack ? 'A' : '.', + th->syn ? 'S' : '.', + th->fin ? 'F' : '.', + th->rst ? 'R' : '.', + th->psh ? 'P' : '.', + th->urg ? 'U' : '.' ); + goto bad_packet; +#else +tcp_bad_flags: + goto bad_packet; +#endif no_tcp_socket: if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {