Date: Mon, 17 Apr 2000 23:51:34 GMT From: Salvo Bartolotta <bartequi@neomedia.it> To: freebsd-questions@FreeBSD.ORG Subject: firewall & kernel tcp_options Message-ID: <20000417.23513400@bartequi.ottodomain.org>
next in thread | raw e-mail | index | archive | help
Dear FreeBSDers, I am running a 4.0-S system (as of a week ago), and I have a few doubts about the exact meaning and interrelations of some kernel and firewall settings. Question I The kernel options "TCP_DROP_SYNFIN" should (?) be equivalent to a firewall rule like "add <rule_number> deny [log] tcp from any to any in tcpflags fin,syn". Which of those, if any, is "better" (eg more reliable, or efficient) ? Question II The kernel options TCP_RESTRICT_RST should (?) be similar to a=20 firewall rule like "add <rule_number> deny [log] tcp from any to any out tcpflags= rst". I seem to understand that the former *limits* the outgoing "rst traffic" whilst the latter *kills* the outgoing "rst traffic". Is=20 this correct ? Also, is the former option more "resistant" to massive attacks (scans) ? Question III Does it make any sense to use *all* of the following: the TCP_DROP_SYNFIN, TCP_RESTRICT_RST, ICMP_BANDLIM kernel options; the tcp blackhole behavio(u)r (level 2) and the udp blackhole behavio(u)r (level 1); the log_in_vain feauture (/etc/rc.conf); and a set of appropriate (ipfw) packet filters rules (eg dropping packets directed to such delicate ports as 6000-6063 etc.) Am I missing anything (else) ? Many thanks in advance for your help. Best regards, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000417.23513400>