From owner-freebsd-security Sun Dec 21 00:55:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA18468 for security-outgoing; Sun, 21 Dec 1997 00:55:03 -0800 (PST) (envelope-from owner-freebsd-security) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id AAA18460 for ; Sun, 21 Dec 1997 00:54:58 -0800 (PST) (envelope-from darrenr@cyber.com.au) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id TAA09356; Sun, 21 Dec 1997 19:54:14 +1100 From: Darren Reed Message-Id: <199712210854.TAA09356@plum.cyber.com.au> Subject: Re: Kernel options for FW? To: cschuber@uumail.gov.bc.ca Date: Sun, 21 Dec 1997 19:54:13 +1100 (EST) Cc: adam@homeport.org, firewall-wizards@nfr.net, freebsd-security@freebsd.org In-Reply-To: <199712191538.HAA00996@cwsys.cwsent.com> from "Cy Schubert - ITSD Open Systems Group" at Dec 19, 97 07:37:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In some mail I received from Cy Schubert - ITSD Open Systems Group, sie wrote > > > options IPFORWSRCRT=0 //Turn off source routing. > > Under FreeBSD you would use, > > ipfw deny ... ipoptions ssrr > ipfw deny ... ipoptions lsrr > ipfw deny ... ipoptions rr Or if using IP Filter on FreeBSD: block in all with ipopt lsrr block in all with ipopt ssrr (You shouldn't need to block the Record-Route option (rr) as it doesn't actually effect routing, just records it). > > options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't > > //need to run as root. > > There is no equivalent in FreeBSD-stable. I'm not sure whether -current has > it. I've posted a bunch of patches for BIND 8.1.1 which allow config options to change the user it runs as and to have it run chroot'd, so this should not be as much of a worry. > > options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel. > > The FreeBSD default is BLOCK and is defined as rule 65535. If you wish to > make the default PASS, then you'd define rule 65534 with the pass option. Since I'm at `fault' or `to blame' here, I'll add a comment or two. In my experience, defaulting to block in a system which isn't sold as a firewall caused more problems than it was worth ;) And so, IP Filter for FreeBSD requires the same.