From owner-freebsd-security  Fri Jun 11 16:16:12 1999
Delivered-To: freebsd-security@freebsd.org
Received: from unreal.gatekeep.net (gatekeep.net [209.17.177.144])
	by hub.freebsd.org (Postfix) with ESMTP id 188E9154C6
	for <freebsd-security@FreeBSD.ORG>; Fri, 11 Jun 1999 16:16:06 -0700 (PDT)
	(envelope-from freebsd@unreal.gatekeep.net)
Received: from localhost (freebsd@localhost)
	by unreal.gatekeep.net (8.9.3/8.9.3) with ESMTP id QAA46176;
	Fri, 11 Jun 1999 16:06:03 -0700 (PDT)
Date: Fri, 11 Jun 1999 16:06:02 -0700 (PDT)
From: freebsd <freebsd@unreal.gatekeep.net>
To: Nick Rogness <nick@rapidnet.com>
Cc: "Jason L. Schwab" <jschwab@royal.net>,
	Pete Fritchman <petef@netreach.net>, ghandi@mindless.com,
	freebsd-security@FreeBSD.ORG
Subject: Re: firewalls
In-Reply-To: <Pine.BSF.4.05.9906111701370.44102-100000@rapidnet.com>
Message-ID: <Pine.BSF.4.05.9906111603370.37099-100000@unreal.gatekeep.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I suggest installing ICMP_BANDLIM into the kernel (gret LINT) and setting
it to about 20... sysctl -w net.inet.icmp.icmplim=20

Also for syn floods, i suggest going to geek-girl.com and getting the new
syn protection patch for FreeBSD, it works, you also set it via sysctl...


On Fri, 11 Jun 1999, Nick Rogness wrote:

> On Fri, 11 Jun 1999, Pete Fritchman wrote:
> 
> > You probably just want to deny all icmp to your dialup.
> > 
> > ipfw add deny icmp from any to any
> 
> 
> 	Some online games rely on icmp packets to monitor
> 	your speed to the server (eg. Quake2).  With some
> 	games this might be a problem.
> 
> 
> > 
> > --------------------
> > [  Pete Fritchman  ]
> > [ Systems Engineer ]
> > [petef@netreach.net]
> > --------------------
> > 
> > On Fri, 11 Jun 1999, Jason L. Schwab wrote:
> > 
> > > Date: Fri, 11 Jun 1999 14:21:27 -0700 (MST)
> > > From: "Jason L. Schwab" <jschwab@royal.net>
> > > To: ghandi@mindless.com
> > > Cc: freebsd-security@FreeBSD.ORG
> > > Subject: firewalls
> > > 
> > > Dear all of you,
> > > 
> > > 	What rules should i add to ipfw to make it to where no one can
> > > Denial Of Service or D.o.S. me or any of those kinds of things? but i
> > > wanna allow everything else thro. i'm on 56k dialup.. hope to be on
> > > 256k once our phone company here gets it up and running... thanks
> > > 
> > > 
> > > 
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > > 
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> > 
> 
> *******************************************************************
> Nick Rogness		    	 "Never settle with words what
> System Administrator	          can be accomplished with a 
> RapidNet, INC   		  flame-thrower"  
> nick@rapidnet.com		
> *******************************************************************
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 
Brandon Hicks - Gate Keeper Technologies
www.gatekeep.net
bhicks@gatekeep.net




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message