Date: Mon, 17 Apr 2000 17:27:32 -0700 (PDT) From: Bhishan Hemrajani <bhishan@cytosine.dhs.org> To: Salvo Bartolotta <bartequi@neomedia.it> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: firewall & kernel tcp_options Message-ID: <200004180027.e3I0RWE16186@cytosine.dhs.org> In-Reply-To: <20000417.23513400@bartequi.ottodomain.org> from Salvo Bartolotta at "Apr 17, 2000 11:51:34 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
<snip> > > Question I > The kernel options "TCP_DROP_SYNFIN" should (?) be equivalent to a > firewall rule like "add <rule_number> deny [log] tcp from any to any in > tcpflags fin,syn". Which of those, if any, is "better" (eg more > reliable, or efficient) ? > Actually, you add tcp_drop_synfin="YES" in rc.conf. > Question II > The kernel options TCP_RESTRICT_RST should (?) be similar to a > firewall > rule like "add <rule_number> deny [log] tcp from any to any out tcpflags > rst". I seem to understand that the former *limits* the outgoing "rst > traffic" whilst the latter *kills* the outgoing "rst traffic". Is > this > correct ? Same thiong with this one, put tcp_restrict_rst="YES" in /etc/rc.conf --bhishan > Also, is the former option more "resistant" to massive attacks (scans) > ? > > Question III > Does it make any sense to use *all* of the following: the > TCP_DROP_SYNFIN, TCP_RESTRICT_RST, ICMP_BANDLIM kernel options; the > tcp blackhole behavio(u)r (level 2) and the udp blackhole behavio(u)r > (level 1); the log_in_vain feauture (/etc/rc.conf); and a set of > appropriate (ipfw) packet filters rules (eg dropping packets directed > to such delicate ports as 6000-6063 etc.) > > Am I missing anything (else) ? > > Many thanks in advance for your help. > > Best regards, > Salvo > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004180027.e3I0RWE16186>