Date: Sun, 21 Dec 1997 22:01:36 +1100 (EST) From: Darren Reed <darrenr@cyber.com.au> To: adam@homeport.org Cc: firewall-wizards@nfr.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel options for FW? Message-ID: <199712211101.WAA11110@plum.cyber.com.au> In-Reply-To: <199712181615.LAA14478@homeport.org> from "Adam Shostack" at Dec 18, 97 11:15:02 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail I received from Adam Shostack, sie wrote > > (This is not meant to spark a religious war. I'm asking for help > configuring a kernel, and comparing kernel security features between > FreeBSD and NetBSD to make a reasonable decision.) > > On Netbsd, I'd enable the following options. I can't find equivilents > to these on FreeBSD. Do they exist, and what are they? Also, I know > Freebsd sets kernel security wrong (-1) by default, and that needs to > be fixed. Are there other things that I should know about on Freebsd > to do everything right? I'm using FreeBSD 2.2.5 here... > options IPFORWSRCRT=0 //Turn off source routing. net.inet.ip.sourceroute: 0 > options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't > //need to run as root. net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.first: 1024 Might be worth investigating for what these can offer to you. I've not played with these but it might be interesting :-) Although, I think these affect what binding to port 0 does... [...] You should check that the following sysctl variable is off unless you need it on: net.inet.ip.forwarding You might also want to think about net.inet.ip.redirect
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712211101.WAA11110>