From owner-freebsd-security Fri Dec 19 07:38:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA24248 for security-outgoing; Fri, 19 Dec 1997 07:38:52 -0800 (PST) (envelope-from owner-freebsd-security) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA24240 for ; Fri, 19 Dec 1997 07:38:49 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id HAA19837; Fri, 19 Dec 1997 07:38:42 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaaEnaa; Fri Dec 19 07:38:36 1997 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id HAA00996; Fri, 19 Dec 1997 07:38:18 -0800 (PST) Message-Id: <199712191538.HAA00996@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd000987; Fri Dec 19 15:38:00 1997 X-Mailer: exmh version 2.0zeta 7/24/97 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Adam Shostack cc: firewall-wizards@nfr.net (Firewall Wizards List), freebsd-security@freebsd.org Subject: Re: Kernel options for FW? In-reply-to: Your message of "Thu, 18 Dec 1997 11:15:02 EST." <199712181615.LAA14478@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 19 Dec 1997 07:37:59 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > (This is not meant to spark a religious war. I'm asking for help > configuring a kernel, and comparing kernel security features between > FreeBSD and NetBSD to make a reasonable decision.) > > On Netbsd, I'd enable the following options. I can't find equivilents > to these on FreeBSD. Do they exist, and what are they? Also, I know > Freebsd sets kernel security wrong (-1) by default, and that needs to > be fixed. Are there other things that I should know about on Freebsd > to do everything right? > > > options IPFORWSRCRT=0 //Turn off source routing. Under FreeBSD you would use, ipfw deny ... ipoptions ssrr ipfw deny ... ipoptions lsrr ipfw deny ... ipoptions rr > > options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't > //need to run as root. There is no equivalent in FreeBSD-stable. I'm not sure whether -current has it. > > options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel. The FreeBSD default is BLOCK and is defined as rule 65535. If you wish to make the default PASS, then you'd define rule 65534 with the pass option. > > options FDSCRIPTS // Allow a script to be run if it is x only, by > // passing a file descriptor to the interpreter, > // avoiding some race conditions. I'm not sure that I understand, but I'll attempt to answer it anyway. Using divert sockets you can divert packets to an arbitrary piece of code, e.g. NAT. To set up a divert socket you would use the divert option of ipfw. > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it."