From owner-freebsd-security Thu Dec 18 08:17:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA29125 for security-outgoing; Thu, 18 Dec 1997 08:17:38 -0800 (PST) (envelope-from owner-freebsd-security) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA29110 for ; Thu, 18 Dec 1997 08:17:31 -0800 (PST) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA14478; Thu, 18 Dec 1997 11:15:03 -0500 (EST) From: Adam Shostack Message-Id: <199712181615.LAA14478@homeport.org> Subject: Kernel options for FW? To: firewall-wizards@nfr.net (Firewall Wizards List), freebsd-security@FreeBSD.ORG Date: Thu, 18 Dec 1997 11:15:02 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk (This is not meant to spark a religious war. I'm asking for help configuring a kernel, and comparing kernel security features between FreeBSD and NetBSD to make a reasonable decision.) On Netbsd, I'd enable the following options. I can't find equivilents to these on FreeBSD. Do they exist, and what are they? Also, I know Freebsd sets kernel security wrong (-1) by default, and that needs to be fixed. Are there other things that I should know about on Freebsd to do everything right? options IPFORWSRCRT=0 //Turn off source routing. options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't //need to run as root. options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel. options FDSCRIPTS // Allow a script to be run if it is x only, by // passing a file descriptor to the interpreter, // avoiding some race conditions. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume