From owner-freebsd-questions Mon Apr 17 17:27:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cytosine.dhs.org (cx272244-a.orng1.occa.home.com [24.1.177.149]) by hub.freebsd.org (Postfix) with ESMTP id B18BF37BBCD for ; Mon, 17 Apr 2000 17:27:41 -0700 (PDT) (envelope-from bhishan@cytosine.dhs.org) Received: (from bhishan@localhost) by cytosine.dhs.org (8.10.0/8.10.0) id e3I0RWE16186; Mon, 17 Apr 2000 17:27:32 -0700 (PDT) From: Bhishan Hemrajani Message-Id: <200004180027.e3I0RWE16186@cytosine.dhs.org> Subject: Re: firewall & kernel tcp_options In-Reply-To: <20000417.23513400@bartequi.ottodomain.org> from Salvo Bartolotta at "Apr 17, 2000 11:51:34 pm" To: Salvo Bartolotta Date: Mon, 17 Apr 2000 17:27:32 -0700 (PDT) Cc: freebsd-questions@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > Question I > The kernel options "TCP_DROP_SYNFIN" should (?) be equivalent to a > firewall rule like "add deny [log] tcp from any to any in > tcpflags fin,syn". Which of those, if any, is "better" (eg more > reliable, or efficient) ? > Actually, you add tcp_drop_synfin="YES" in rc.conf. > Question II > The kernel options TCP_RESTRICT_RST should (?) be similar to a > firewall > rule like "add deny [log] tcp from any to any out tcpflags > rst". I seem to understand that the former *limits* the outgoing "rst > traffic" whilst the latter *kills* the outgoing "rst traffic". Is > this > correct ? Same thiong with this one, put tcp_restrict_rst="YES" in /etc/rc.conf --bhishan > Also, is the former option more "resistant" to massive attacks (scans) > ? > > Question III > Does it make any sense to use *all* of the following: the > TCP_DROP_SYNFIN, TCP_RESTRICT_RST, ICMP_BANDLIM kernel options; the > tcp blackhole behavio(u)r (level 2) and the udp blackhole behavio(u)r > (level 1); the log_in_vain feauture (/etc/rc.conf); and a set of > appropriate (ipfw) packet filters rules (eg dropping packets directed > to such delicate ports as 6000-6063 etc.) > > Am I missing anything (else) ? > > Many thanks in advance for your help. > > Best regards, > Salvo > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message