Date: Tue, 14 Mar 2000 01:08:06 GMT From: Salvo Bartolotta <bartequi@neomedia.it> To: freebsd-questions@FreeBSD.ORG Subject: firewall questions Message-ID: <20000314.1080600@bartequi.ottodomain.org>
next in thread | raw e-mail | index | archive | help
Dear FreeBSDers, I was wondering whether there was some difference between: 1A) add 1000 deny log tcp from any to localhost in tcpflags fin,syn 1B) Kernel "options TCP_DROP_SYNFIN" 2A) add 2000 deny tcp from localhost to any out tcpflags rst 2B) Kernel "options TCP_RESTRICT_RST" 3A) add 3000 deny icmp from localhost to any out 3B) Kernel "options ICMP_BANDLIM" In and out are probably redundant here. AFAICS, 3A) denies ALL icmp traffic from localhost, whereas 3B) only limits that type of traffic. However, the difference betwwen 1A) and 1B), as well as between 2A) and 2B), seem harder to tell. In particular I wonder whether there is some *efficiency* difference between them. Am I (yawn) missing anything obvious ? I built a firewall for my home box. I was not paranoid: inter alia, I was port scanned a few times. Although I had disabled all unnecessary things, I felt it necessary to deny ip *fragments* etc. Yahoo docet :-) I seem to understand that the most comprehensive, powerful and (perhaps) efficient defence instrument (as a packet filter tool) is ipfw(8). Is this correct, too ? Thanks in advance and best regards from (yawning yet again) Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000314.1080600>