From owner-freebsd-security  Fri Jun 11 16:31:40 1999
Delivered-To: freebsd-security@freebsd.org
Received: from unreal.gatekeep.net (gatekeep.net [209.17.177.144])
	by hub.freebsd.org (Postfix) with ESMTP id 51A1E154D3
	for <freebsd-security@FreeBSD.ORG>; Fri, 11 Jun 1999 16:31:37 -0700 (PDT)
	(envelope-from freebsd@unreal.gatekeep.net)
Received: from localhost (freebsd@localhost)
	by unreal.gatekeep.net (8.9.3/8.9.3) with ESMTP id QAA49575;
	Fri, 11 Jun 1999 16:24:37 -0700 (PDT)
Date: Fri, 11 Jun 1999 16:24:37 -0700 (PDT)
From: freebsd <freebsd@unreal.gatekeep.net>
To: matt <matt@AIC-GW.MLINK.NET>
Cc: Nick Rogness <nick@rapidnet.com>,
	"Jason L. Schwab" <jschwab@royal.net>,
	Pete Fritchman <petef@netreach.net>, ghandi@mindless.com,
	freebsd-security@FreeBSD.ORG
Subject: Re: firewalls
In-Reply-To: <Pine.BSF.4.10.9906111921410.2521-100000@aic-gw.mlink.net>
Message-ID: <Pine.BSF.4.05.9906111622500.37099-100000@unreal.gatekeep.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Yes, 20 is low, but don't forget he was on a dialup... a dialup connection
can't handle that much.  I was only saying for his purposes. for a t1+
100-200 limit is about right


On Fri, 11 Jun 1999, matt wrote:

> On Fri, 11 Jun 1999, freebsd wrote:
> 
> : I suggest installing ICMP_BANDLIM into the kernel (gret LINT) and setting
> : it to about 20... sysctl -w net.inet.icmp.icmplim=20
> 
> I use both patches, they work nicely, however, I set the limits at 200 for
> both on bootup with sysctl.. I think the default of 100 is a lil low, and
> 20 lord. a portscan would trip that off like crazy. Course, I run
> portsentry with ipfw to handle those *grin* .. Still though, 20 might be
> a bit low...
>  
> : Also for syn floods, i suggest going to geek-girl.com and getting the new
> : syn protection patch for FreeBSD, it works, you also set it via sysctl...
> 
> [...] 
> 
> Matt
> 
> --
> DISCLAIMER: Anyone sending me unsolicited commercial electronic mail
> automatically agrees to be held to the following legal terms:
> 
> US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the
> definition of a telephone fax machine. By Sec.227(b)(1)(C), it is
> unlawful to send any unsolicited advertisement to such equipment. By
> Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable
> by action to recover actual monetary loss, or $500, whichever is greater,
> for each violation.
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message