From owner-freebsd-questions@FreeBSD.ORG Fri May 16 01:20:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5DD337B401 for ; Fri, 16 May 2003 01:20:14 -0700 (PDT) Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9990643F85 for ; Fri, 16 May 2003 01:20:13 -0700 (PDT) (envelope-from listone@deathbeforedecaf.net) Received: from goo.0x7e.net ([203.38.184.164] helo=goo) by zim.0x7e.net with smtp (Exim 3.36 #1) id 19GaRb-0003ix-00; Fri, 16 May 2003 17:49:59 +0930 Message-ID: <00de01c31b83$f142d2e0$a4b826cb@goo> From: "Rob" To: "G D McKee" References: <001001c31b0b$efe77720$c700a8c0@p2000> Date: Fri, 16 May 2003 17:49:57 +0930 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 cc: freebsd-questions@freebsd.org Subject: Re: Securing FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2003 08:20:15 -0000 The TCP_DROP_SYNFIN option breaks support for T/TCP - see ttcp(4). This could be used by webservers for small TCP sessions with minimum overheard, but I don't know if any actually do it. security(7) gives you an overview of various options. see blackhole(4) for info on the sysctl variables you mentioned. Another option for your kernel is ICMP_BANDLIM, though this is less necessary if you use blackhole and a firewall. ----- Original Message ----- From: "G D McKee" To: Sent: Friday, May 16, 2003 3:30 AM Subject: Securing FreeBSD Hi all I am trying to secure my freebsd box and avoid giving to much info away to port scans. I have found some site relating to this and have put the following lines in /etc/sysctl.conf net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 and added these to the firewall: options RANDOM_IP_ID options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN Can someone explain to me why the TCP_DROP_SYNFIN option breaks web access? It doesn't seem to have made any changes that I have noticed. I can't find any docs regarding this to explain what it might break. Does anyone know any other variables to add to make me more secure? Thanks in advance Gordon _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"