Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Dec 1997 07:37:59 -0800
From:      Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        Adam Shostack <adam@homeport.org>
Cc:        firewall-wizards@nfr.net (Firewall Wizards List), freebsd-security@freebsd.org
Subject:   Re: Kernel options for FW? 
Message-ID:  <199712191538.HAA00996@cwsys.cwsent.com>
In-Reply-To: Your message of "Thu, 18 Dec 1997 11:15:02 EST." <199712181615.LAA14478@homeport.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
> (This is not meant to spark a religious war.  I'm asking for help
> configuring a kernel, and comparing kernel security features between
> FreeBSD and NetBSD to make a reasonable decision.)
> 
> On Netbsd, I'd enable the following options.  I can't find equivilents
> to these on FreeBSD.  Do they exist, and what are they?   Also, I know
> Freebsd sets kernel security wrong (-1) by default, and that needs to
> be fixed.  Are there other things that I should know about on Freebsd
> to do everything right?
> 
> 
> options IPFORWSRCRT=0 //Turn off source routing.

Under FreeBSD you would use,

ipfw deny ... ipoptions ssrr
ipfw deny ... ipoptions lsrr
ipfw deny ... ipoptions rr

> 
> options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't
> 		      //need to run as root.

There is no equivalent in FreeBSD-stable.  I'm not sure whether -current has 
it.

> 
> options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel.

The FreeBSD default is BLOCK and is defined as rule 65535.  If you wish to 
make the default PASS, then you'd define rule 65534 with the pass option.

> 
> options FDSCRIPTS // Allow a script to be run if it is x only, by
> 		 // passing a file descriptor to the interpreter,
> 		 // avoiding some race conditions.

I'm not sure that I understand, but I'll attempt to answer it anyway.  Using 
divert sockets you can divert packets to an arbitrary piece of code, e.g. NAT.
To set up a divert socket you would use the divert option of ipfw.

>   
> Adam
> 
> -- 
> "It is seldom that liberty of any kind is lost all at once."
> 					               -Hume
> 
> 
> 



Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       Cy.Schubert@gems8.gov.bc.ca

		"Quit spooling around, JES do it."





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712191538.HAA00996>