Re: [PATCH v4] add stealth mode

2015-09-23 Thread Eric Dumazet
On Wed, 2015-09-23 at 18:36 +0200, Matteo Croce wrote: > 2015-09-16 13:06 GMT+02:00 Florian Westphal : > > > > Matteo Croce wrote: > > > Add option to disable any reply not related to a listening socket, > > > like RST/ACK for TCP and ICMP Port-Unreachable for

Re: [PATCH v4] add stealth mode

2015-09-23 Thread Matteo Croce
2015-09-16 13:06 GMT+02:00 Florian Westphal : > > Matteo Croce wrote: > > Add option to disable any reply not related to a listening socket, > > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > > Also disables ICMP replies to echo request and

[PATCH v4] add stealth mode

2015-09-23 Thread Matteo Croce
Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. Signed-off-by: Matteo Croce

Re: [PATCH v4] add stealth mode

2015-09-23 Thread David Miller
From: Matteo Croce Date: Wed, 23 Sep 2015 18:36:12 +0200 > The point is to do the filtering without *tables at all, > like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings That's not a good argument, sorry. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH v4] add stealth mode

2015-09-23 Thread David Miller
From: Matteo Croce Date: Wed, 23 Sep 2015 18:32:12 +0200 > Add option to disable any reply not related to a listening socket, > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > Also disables ICMP replies to echo request and timestamp. > The stealth mode can be

Re: [PATCH v4] add stealth mode

2015-09-23 Thread David Miller
From: Eric Dumazet Date: Wed, 23 Sep 2015 10:29:52 -0700 > Yes, but this adds code in many places, even for people not caring of > such protection. > > The point is : people wanting firewall like protections should instead > use netfilter framework. +1 -- To unsubscribe

[PATCH v4] add stealth mode

2015-09-16 Thread Matteo Croce
Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. Signed-off-by: Matteo Croce

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Florian Westphal
Matteo Croce wrote: > Add option to disable any reply not related to a listening socket, > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > Also disables ICMP replies to echo request and timestamp. > The stealth mode can be enabled selectively for a single interface.

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Eric Dumazet
On Wed, 2015-09-16 at 11:54 +0200, Matteo Croce wrote: > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c > index 93898e0..fe62ae0 100644 > --- a/net/ipv4/tcp_ipv4.c > +++ b/net/ipv4/tcp_ipv4.c > @@ -77,6 +77,7 @@ > #include > > #include > +#include > #include > #include >

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Daniel Borkmann
On 09/16/2015 11:54 AM, Matteo Croce wrote: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface.

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Daniel Borkmann
On 09/16/2015 12:45 PM, Matteo Croce wrote: 2015-09-16 12:26 GMT+02:00 Daniel Borkmann : On 09/16/2015 11:54 AM, Matteo Croce wrote: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables