From owner-freebsd-questions Mon Mar 13 17: 4:55 2000 Delivered-To: freebsd-questions@freebsd.org Received: from aragorn.neomedia.it (aragorn.neomedia.it [195.103.207.6]) by hub.freebsd.org (Postfix) with ESMTP id AFF9A37B658 for ; Mon, 13 Mar 2000 17:04:44 -0800 (PST) (envelope-from bartequi@neomedia.it) Received: from bartequi.ottodomain.org (ppp5-pa4.neomedia.it [195.103.207.197]) by aragorn.neomedia.it (8.9.3/8.9.3) with SMTP id CAA02562 for ; Tue, 14 Mar 2000 02:04:37 +0100 (CET) From: Salvo Bartolotta Date: Tue, 14 Mar 2000 01:08:06 GMT Message-ID: <20000314.1080600@bartequi.ottodomain.org> Subject: firewall questions To: freebsd-questions@FreeBSD.ORG X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear FreeBSDers, I was wondering whether there was some difference between: 1A) add 1000 deny log tcp from any to localhost in tcpflags fin,syn 1B) Kernel "options TCP_DROP_SYNFIN" 2A) add 2000 deny tcp from localhost to any out tcpflags rst 2B) Kernel "options TCP_RESTRICT_RST" 3A) add 3000 deny icmp from localhost to any out 3B) Kernel "options ICMP_BANDLIM" In and out are probably redundant here. AFAICS, 3A) denies ALL icmp traffic from localhost, whereas 3B) only limits that type of traffic. However, the difference betwwen 1A) and 1B), as well as between 2A) and 2B), seem harder to tell. In particular I wonder whether there is some *efficiency* difference between them. Am I (yawn) missing anything obvious ? I built a firewall for my home box. I was not paranoid: inter alia, I was port scanned a few times. Although I had disabled all unnecessary things, I felt it necessary to deny ip *fragments* etc. Yahoo docet :-) I seem to understand that the most comprehensive, powerful and (perhaps) efficient defence instrument (as a packet filter tool) is ipfw(8). Is this correct, too ? Thanks in advance and best regards from (yawning yet again) Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message