From owner-freebsd-security  Thu Mar  8 11:48:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197])
	by hub.freebsd.org (Postfix) with ESMTP id E593C37B718
	for <security@FreeBSD.ORG>; Thu,  8 Mar 2001 11:48:08 -0800 (PST)
	(envelope-from christopher@schulte.org)
Received: from ronayne.schulte.org (nb-22.netbriefings.com [204.72.185.22])
	by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id NAA62542;
	Thu, 8 Mar 2001 13:48:03 -0600 (CST)
	(envelope-from christopher@schulte.org)
Message-Id: <5.0.2.1.0.20010308134342.02761e70@pop.schulte.org>
X-Sender: schulte@pop.schulte.org
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Thu, 08 Mar 2001 13:47:49 -0600
To: Brooks Davis <brooks@one-eyed-alien.net>
From: Christopher Schulte <christopher@schulte.org>
Subject: Re: strange messages
Cc: "oldfart@gtonet" <oldfart@gtonet.net>, security@FreeBSD.ORG
In-Reply-To: <20010308113347.A7928@Odin.AC.HMC.Edu>
References: <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org>
 <BIEHKEFNHFMMJEKCDMLNAEBHCGAA.oldfart@gtonet.net>
 <20010308100755.A13090@Odin.AC.HMC.Edu>
 <BIEHKEFNHFMMJEKCDMLNAEBHCGAA.oldfart@gtonet.net>
 <20010308103500.C13090@Odin.AC.HMC.Edu>
 <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 11:33 AM 3/8/2001 -0800, Brooks Davis wrote:
>On Thu, Mar 08, 2001 at 01:12:41PM -0600, Christopher Schulte wrote:
> > You can convince the kernel to use a more user-defined port range(s) for
> > dynamic outbound connections with a few sysctl vars, thus making firewall
> > confs a bit easier to craft and maintain:
> >
> > `sysctl -a | grep portrange`
>
>Is there some actual documentation on what these do somewhere?  Just
>being able to limit the range of arbitrary ports don't do anything, but
>I can't see what else you could do with these.

If you told the kernel to initiate all outbound connections between say 
ports 2000-4000, then you wouldn't have to worry about filtering lower 
ports,  to kick those pesky rpc services - which as was mentioned cannot 
always be told to live on a user defined port.

As far as docs:

Yah, do a man on ip(4) or http://people.freebsd.org/~adrian/sysctl.descriptions

>-- Brooks
>
>--
>Any statement of the form "X is the one, true Y" is FALSE.
>PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message