Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Apr 2000 17:27:32 -0700 (PDT)
From:      Bhishan Hemrajani <bhishan@cytosine.dhs.org>
To:        Salvo Bartolotta <bartequi@neomedia.it>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: firewall & kernel tcp_options
Message-ID:  <200004180027.e3I0RWE16186@cytosine.dhs.org>
In-Reply-To: <20000417.23513400@bartequi.ottodomain.org> from Salvo Bartolotta at "Apr 17, 2000 11:51:34 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
<snip>
> 
> Question I
> The kernel options "TCP_DROP_SYNFIN" should (?) be equivalent to a
> firewall rule like "add <rule_number> deny [log] tcp from any to any in
> tcpflags fin,syn". Which of those, if any, is "better" (eg more
> reliable, or efficient) ?
> 

Actually, you add tcp_drop_synfin="YES" in rc.conf. 

> Question II
> The kernel options TCP_RESTRICT_RST should (?) be similar to a 
> firewall
> rule like "add <rule_number> deny [log] tcp from any to any out tcpflags
> rst". I seem to understand that the former *limits* the outgoing "rst
> traffic"  whilst the latter *kills* the outgoing "rst traffic". Is 
> this
> correct ?

Same thiong with this one, put tcp_restrict_rst="YES" in /etc/rc.conf


--bhishan


> Also, is the former option more "resistant" to massive attacks (scans)
> ?
> 
> Question III
> Does it make any sense to use *all* of the following: the
> TCP_DROP_SYNFIN, TCP_RESTRICT_RST, ICMP_BANDLIM kernel options; the
> tcp blackhole behavio(u)r (level 2) and the udp blackhole behavio(u)r
> (level 1); the log_in_vain feauture (/etc/rc.conf); and a set of
> appropriate (ipfw) packet filters rules (eg dropping packets directed
> to such delicate ports as 6000-6063 etc.)
> 
> Am I missing anything (else) ?
> 
> Many thanks in advance for your help.
> 
> Best regards,
> Salvo
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004180027.e3I0RWE16186>