From owner-freebsd-security  Thu Dec 18 09:33:35 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA05800
          for security-outgoing; Thu, 18 Dec 1997 09:33:35 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA05793
          for <freebsd-security@FreeBSD.ORG>; Thu, 18 Dec 1997 09:33:33 -0800 (PST)
          (envelope-from nash@Jupiter.Mcs.Net)
Received: from Jupiter.Mcs.Net (nash@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id LAA11863; Thu, 18 Dec 1997 11:33:32 -0600 (CST)
Received: from localhost (nash@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) with SMTP id LAA04388; Thu, 18 Dec 1997 11:33:31 -0600 (CST)
Date: Thu, 18 Dec 1997 11:33:31 -0600 (CST)
From: Alex Nash <nash@Mcs.Net>
To: Adam Shostack <adam@homeport.org>
cc: Firewall Wizards List <firewall-wizards@nfr.net>,
        freebsd-security@FreeBSD.ORG
Subject: Re: Kernel options for FW?
In-Reply-To: <199712181615.LAA14478@homeport.org>
Message-ID: <Pine.BSF.3.95.971218113056.1783D-100000@Jupiter.Mcs.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 18 Dec 1997, Adam Shostack wrote:

> options IPFORWSRCRT=0 //Turn off source routing.

This is the default.  It is controllable via sysctl.

> options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't
> 		      //need to run as root.

I don't know if there's a good way of doing this, but you could hack
IPPORT_RESERVED in in.h (unfortunately this isn't surrounded by an ifndef,
so you can't just thrown options IPPORT_RESERVED into your kernel config).

> options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel.

This is the default for FreeBSD's ipfw.

Alex