From owner-freebsd-hackers Tue Sep 15 14:10:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA03943 for freebsd-hackers-outgoing; Tue, 15 Sep 1998 14:10:37 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.6.133]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA03865; Tue, 15 Sep 1998 14:10:10 -0700 (PDT) (envelope-from tlambert@usr09.primenet.com) Received: (from daemon@localhost) by smtp03.primenet.com (8.8.8/8.8.8) id OAA22910; Tue, 15 Sep 1998 14:09:49 -0700 (MST) Received: from usr09.primenet.com(206.165.6.209) via SMTP by smtp03.primenet.com, id smtpd022838; Tue Sep 15 14:09:40 1998 Received: (from tlambert@localhost) by usr09.primenet.com (8.8.5/8.8.5) id OAA25292; Tue, 15 Sep 1998 14:09:35 -0700 (MST) From: Terry Lambert Message-Id: <199809152109.OAA25292@usr09.primenet.com> Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets To: sthaug@nethelp.no Date: Tue, 15 Sep 1998 21:09:35 +0000 (GMT) Cc: tlambert@primenet.com, hackers@FreeBSD.ORG, questions@FreeBSD.ORG In-Reply-To: <10256.905814797@verdi.nethelp.no> from "sthaug@nethelp.no" at Sep 15, 98 01:13:17 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Also, since the FreeBSD TCP/IP stack currently doesn't implement IPv6, > I find it hard to use this as a very strong argument. Both the WIDE IPv6 and the INRIA IPv6 run under FreeBSD. > My conclusion is that we probably need separate sysctl variables for > "multicast echo" and "broadcast echo", with the former defaulting to > on, and the latter to off. Yes, I volunteer to do this if there is > any interest. I think it should default to "on", since that is historical behaviour, and because I've had more than one MIS problem that came down to not being able to identify the hardware address of a misconfigured machine because the !@#!@$! thing would not reply to broadcast ping, and didn't support any services that you could telnet to to get it in the arp table to look there. At this point, lack of a broadcast ping degrades to a cube-to-cube search for the offending Microsoft box. If FreeBSD also fails to reply to perfectly valid broadcasts, well, then it becomes a cube-to-cube search for the offending Microsoft *or* FreeBSD box (bletch!). If you are worried about DOS attacks, and you are too stupid to set up your firewall correctly, I have little sympathy, since if nothing else, they could hijack your NFS connections (which I presume you were also too dumb to firewall: stupid is as stupid does, after all), and then sysctl the things back on themselves. In other words, either your network is secure by design, or it's broken by design, and there is no "happy medium". > > Certainly, you should be able to turn it off, but the correct place > > to block DOS broadcast ping attacks is your firewall. > > I agree that this is the best place for it - but I'd also like FreeBSD > systems to be secure against smurf attacks out of the box, even if the > router/firewall/whatever lets IP broadcast through (and translates it > to link-level broadcast). And what about NFS hijack, SMB hijack, source routing, IP spoofing, etc.? A firewall is a requirement for a secure network; that's all there is to it. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message