diff -urB linux-orig/Documentation/Configure.help linux/Documentation/Configure.help --- linux-orig/Documentation/Configure.help Tue Dec 12 04:16:11 2000 +++ linux/Documentation/Configure.help Tue Dec 12 04:16:43 2000 @@ -1243,6 +1243,32 @@ Chances are that you should say Y here for every machine which is run as a router and N for every regular host. If unsure, say N. +Stealth IP stack +CONFIG_IP_STEALTH + Use this option to enable "Stealth" code in the kernel's IP Stack. + The purpose of this is to make your machine "invisible" on a network. + + If you say Y here, note that stealth options are not enabled by + default; you can enable them by saying Y to "/proc filesystem support" + and "Sysctl support" below and executing a command such as: + echo 1 >/proc/sys/net/ipv4/tcp_restrict_rst + + Features and /proc interfaces: + tcp_restrict_rst - Do not send TCP RST packets + (no "Connection Refused") + udp_restrict_pu - Do not send ICMP_UNREACH on udp + (Prevents UDP portscans) + icmp_restrict - Do not reply to ICMP requests + (Excluding ping, see below) + igmp_restrict - Do not reply to IGMP requests + + Note that there is already a sysctl to ignore ICMP pings, + echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all + + Enabling all of the above and filtering all open ports should make + your machine very hard to detect, while not interfering with (most) + normal operation. + SYN flood protection CONFIG_SYN_COOKIES Normal TCP/IP networking is open to an attack known as "SYN Only in linux/Documentation: Configure.help.orig diff -urB linux-orig/include/linux/sysctl.h linux/include/linux/sysctl.h --- linux-orig/include/linux/sysctl.h Tue Dec 12 04:15:46 2000 +++ linux/include/linux/sysctl.h Tue Dec 12 04:16:43 2000 @@ -231,7 +231,16 @@ NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=64, NET_IPV4_IGMP_MAX_MEMBERSHIPS=65, NET_IPV4_ALWAYS_DEFRAG=67, +#ifdef CONFIG_IP_STEALTH + NET_IPV4_IP_MASQ_UDP_DLOOSE=68, + NET_IPV4_TCP_RESTRICT_RST=69, + NET_IPV4_UDP_RESTRICT_PU=70, + NET_IPV4_IGMP_RESTRICT=71, + NET_IPV4_ICMP_RESTRICT=72 +#else NET_IPV4_IP_MASQ_UDP_DLOOSE=68 +#endif + }; enum { Only in linux/include/linux: sysctl.h.orig diff -urB linux-orig/net/ipv4/Config.in linux/net/ipv4/Config.in --- linux-orig/net/ipv4/Config.in Tue Dec 12 04:15:48 2000 +++ linux/net/ipv4/Config.in Tue Dec 12 04:16:43 2000 @@ -73,6 +73,7 @@ bool 'IP: ARP daemon support (EXPERIMENTAL)' CONFIG_ARPD fi fi +bool 'IP: Stealth Code (not enabled per default)' CONFIG_IP_STEALTH bool 'IP: TCP syncookie support (not enabled per default)' CONFIG_SYN_COOKIES comment '(it is safe to leave these untouched)' #bool 'IP: PC/TCP compatibility mode' CONFIG_INET_PCTCP diff -urB linux-orig/net/ipv4/icmp.c linux/net/ipv4/icmp.c --- linux-orig/net/ipv4/icmp.c Tue Dec 12 04:15:48 2000 +++ linux/net/ipv4/icmp.c Tue Dec 12 04:16:43 2000 @@ -317,6 +317,10 @@ int sysctl_icmp_echo_ignore_all = 0; int sysctl_icmp_echo_ignore_broadcasts = 0; +#ifdef CONFIG_IP_STEALTH +int sysctl_icmp_restrict = 0; +#endif + /* Control parameter - ignore bogus broadcast responses? */ int sysctl_icmp_ignore_bogus_error_responses =0; @@ -893,7 +897,10 @@ icmp_param.icmph.code=0; icmp_param.data_ptr=× icmp_param.data_len=12; +#ifdef CONFIG_IP_STEALTH + if (!sysctl_icmp_restrict) icmp_reply(&icmp_param, skb); +#endif } Only in linux/net/ipv4: icmp.c.orig diff -urB linux-orig/net/ipv4/igmp.c linux/net/ipv4/igmp.c --- linux-orig/net/ipv4/igmp.c Tue Dec 12 04:15:48 2000 +++ linux/net/ipv4/igmp.c Tue Dec 12 04:16:43 2000 @@ -99,6 +99,10 @@ #define IP_MAX_MEMBERSHIPS 20 +#ifdef CONFIG_IP_STEALTH +int sysctl_igmp_restrict = 0; +#endif + #ifdef CONFIG_IP_MULTICAST /* Parameter names and values are taken from igmp-v2-06 draft */ @@ -157,6 +161,9 @@ struct rtable *rt; u32 dst; + if (sysctl_igmp_restrict) + return(-1); + /* According to IGMPv2 specs, LEAVE messages are * sent to all-routers group. */ diff -urB linux-orig/net/ipv4/sysctl_net_ipv4.c linux/net/ipv4/sysctl_net_ipv4.c --- linux-orig/net/ipv4/sysctl_net_ipv4.c Tue Dec 12 04:15:48 2000 +++ linux/net/ipv4/sysctl_net_ipv4.c Tue Dec 12 04:16:43 2000 @@ -35,6 +35,13 @@ extern int sysctl_ip_masq_debug; extern int sysctl_ip_masq_udp_dloose; +#ifdef CONFIG_IP_STEALTH +extern int sysctl_tcp_restrict_rst; +extern int sysctl_udp_restrict_pu; +extern int sysctl_icmp_restrict; +extern int sysctl_igmp_restrict; +#endif + extern int sysctl_tcp_timestamps; extern int sysctl_tcp_window_scaling; extern int sysctl_tcp_sack; @@ -197,6 +204,16 @@ #ifdef CONFIG_IP_MULTICAST {NET_IPV4_IGMP_MAX_MEMBERSHIPS, "igmp_max_memberships", &sysctl_igmp_max_memberships, sizeof(int), 0644, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_IP_STEALTH + {NET_IPV4_TCP_RESTRICT_RST, "tcp_restrict_rst", + &sysctl_tcp_restrict_rst, sizeof(int), 0644, NULL, &proc_dointvec}, + {NET_IPV4_UDP_RESTRICT_PU, "udp_restrict_pu", + &sysctl_udp_restrict_pu, sizeof(int), 0644, NULL, &proc_dointvec}, + {NET_IPV4_ICMP_RESTRICT, "icmp_restrict", + &sysctl_icmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec}, + {NET_IPV4_IGMP_RESTRICT, "igmp_restrict", + &sysctl_igmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec}, #endif {0} }; Only in linux/net/ipv4: sysctl_net_ipv4.c.orig diff -urB linux-orig/net/ipv4/tcp_ipv4.c linux/net/ipv4/tcp_ipv4.c --- linux-orig/net/ipv4/tcp_ipv4.c Tue Dec 12 04:15:48 2000 +++ linux/net/ipv4/tcp_ipv4.c Tue Dec 12 04:16:43 2000 @@ -63,6 +63,10 @@ #include #include +#ifdef CONFIG_IP_STEALTH +int sysctl_tcp_restrict_rst = 0; +#endif + extern int sysctl_tcp_timestamps; extern int sysctl_tcp_window_scaling; extern int sysctl_tcp_sack; @@ -984,6 +988,10 @@ struct tcphdr rth; struct ip_reply_arg arg; +#ifdef CONFIG_IP_STEALTH + if (sysctl_tcp_restrict_rst) + return; +#endif /* Never send a reset in response to a reset. */ if (th->rst) return; diff -urB linux-orig/net/ipv4/udp.c linux/net/ipv4/udp.c --- linux-orig/net/ipv4/udp.c Tue Dec 12 04:15:48 2000 +++ linux/net/ipv4/udp.c Tue Dec 12 04:16:43 2000 @@ -115,6 +115,10 @@ #include #include +#ifdef CONFIG_IP_STEALTH +int sysctl_udp_restrict_pu = 0; +#endif + /* * Snmp MIB for the UDP layer */ @@ -1133,6 +1137,9 @@ goto csum_error; #endif udp_statistics.UdpNoPorts++; +#ifdef CONFIG_IP_STEALTH + if (!sysctl_udp_restrict_pu) +#endif icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /*