Linux Kernel 2.4 Useful Patches

Web access to the GIT repository - GIT access to the repository

config_ip_stealth : Do not send RST in response to a connect() to closed port

Ported MadCamel's CONFIG_IP_STEALTH patch from 2.2.18. It permits to drop connection attempts to closed ports without sending an RST back, which proves useful as a first protection barrier. The ICMP code has been removed from the patch since kernel 2.4 provides everything to block outgoing ICMP.

Initial date:	2000/12/12
Last update:	2006/01/09
Description:	Do not send RST in response to a connect() to closed port
Author(s):	Willy Tarreau
Abstract:	Ported MadCamel's CONFIG_IP_STEALTH patch from 2.2.18. It permits to drop connection attempts to closed ports without sending an RST back, which proves useful as a first protection barrier. The ICMP code has been removed from the patch since kernel 2.4 provides everything to block outgoing ICMP.

Notes

The default behaviour is not changed. To enable the stealth mode, you have to set it :
# echo 1 >/proc/sys/net/ipv4/tcp_restrict_rst

Contents

Initial patch for 2.2.18 - MadCamel - 2000/12/12
External link : http://www.energymech.net/madcamel/fm/stealth-2.2.18.diff
Updated patch for 2.4.32 - Willy Tarreau - 2006/01/09
Local link : 2.4.32-config_ip_stealth-1.diff

(C) Willy Tarreau - 2008-06-01