From owner-freebsd-questions Mon Apr 17 15:49: 8 2000 Delivered-To: freebsd-questions@freebsd.org Received: from aragorn.neomedia.it (aragorn.neomedia.it [195.103.207.6]) by hub.freebsd.org (Postfix) with ESMTP id 717BF37B8C2 for ; Mon, 17 Apr 2000 15:49:04 -0700 (PDT) (envelope-from bartequi@neomedia.it) Received: from bartequi.ottodomain.org (ppp3-pa5.neomedia.it [195.103.207.115]) by aragorn.neomedia.it (8.9.3/8.9.3) with SMTP id AAA15488 for ; Tue, 18 Apr 2000 00:49:02 +0200 (CEST) From: Salvo Bartolotta Date: Mon, 17 Apr 2000 23:51:34 GMT Message-ID: <20000417.23513400@bartequi.ottodomain.org> Subject: firewall & kernel tcp_options To: freebsd-questions@FreeBSD.ORG X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear FreeBSDers, I am running a 4.0-S system (as of a week ago), and I have a few doubts about the exact meaning and interrelations of some kernel and firewall settings. Question I The kernel options "TCP_DROP_SYNFIN" should (?) be equivalent to a firewall rule like "add deny [log] tcp from any to any in tcpflags fin,syn". Which of those, if any, is "better" (eg more reliable, or efficient) ? Question II The kernel options TCP_RESTRICT_RST should (?) be similar to a=20 firewall rule like "add deny [log] tcp from any to any out tcpflags= rst". I seem to understand that the former *limits* the outgoing "rst traffic" whilst the latter *kills* the outgoing "rst traffic". Is=20 this correct ? Also, is the former option more "resistant" to massive attacks (scans) ? Question III Does it make any sense to use *all* of the following: the TCP_DROP_SYNFIN, TCP_RESTRICT_RST, ICMP_BANDLIM kernel options; the tcp blackhole behavio(u)r (level 2) and the udp blackhole behavio(u)r (level 1); the log_in_vain feauture (/etc/rc.conf); and a set of appropriate (ipfw) packet filters rules (eg dropping packets directed to such delicate ports as 6000-6063 etc.) Am I missing anything (else) ? Many thanks in advance for your help. Best regards, Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message