From owner-freebsd-security  Sun Dec 21 03:02:13 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id DAA23493
          for security-outgoing; Sun, 21 Dec 1997 03:02:13 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id DAA23486
          for <freebsd-security@FreeBSD.ORG>; Sun, 21 Dec 1997 03:01:54 -0800 (PST)
          (envelope-from darrenr@cyber.com.au)
Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id WAA11110; Sun, 21 Dec 1997 22:01:36 +1100
From: Darren Reed <darrenr@cyber.com.au>
Message-Id: <199712211101.WAA11110@plum.cyber.com.au>
Subject: Re: Kernel options for FW?
To: adam@homeport.org
Date: Sun, 21 Dec 1997 22:01:36 +1100 (EST)
Cc: firewall-wizards@nfr.net, freebsd-security@FreeBSD.ORG
In-Reply-To: <199712181615.LAA14478@homeport.org> from "Adam Shostack" at Dec 18, 97 11:15:02 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

In some mail I received from Adam Shostack, sie wrote
> 
> (This is not meant to spark a religious war.  I'm asking for help
> configuring a kernel, and comparing kernel security features between
> FreeBSD and NetBSD to make a reasonable decision.)
> 
> On Netbsd, I'd enable the following options.  I can't find equivilents
> to these on FreeBSD.  Do they exist, and what are they?   Also, I know
> Freebsd sets kernel security wrong (-1) by default, and that needs to
> be fixed.  Are there other things that I should know about on Freebsd
> to do everything right?

I'm using FreeBSD 2.2.5 here...

> options IPFORWSRCRT=0 //Turn off source routing.

net.inet.ip.sourceroute: 0

> options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't
> 		      //need to run as root.

net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 1024

Might be worth investigating for what these can offer to you.  I've not
played with these but it might be interesting :-)

Although, I think these affect what binding to port 0 does...

[...]

You should check that the following sysctl variable is off unless you
need it on:

net.inet.ip.forwarding

You might also want to think about

net.inet.ip.redirect