From owner-freebsd-stable@FreeBSD.ORG Tue Feb 14 16:26:55 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D2B8106564A for ; Tue, 14 Feb 2012 16:26:55 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 525A28FC15 for ; Tue, 14 Feb 2012 16:26:54 +0000 (UTC) Received: by vbbfa15 with SMTP id fa15so146215vbb.13 for ; Tue, 14 Feb 2012 08:26:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=lt2kykFR4a2teq+PxBSsOTGgfUjfS6DF8v+3nsMfYYM=; b=HiSkj9F1Sw0GnmF0o1LfiQ889u00QTiAOMUxLyzrYBeUu6Bz65gi32Fv74AXOftGcK 3gGf4ZI//rT6cibQYVHg6kb/4G4w2B5v2baRwS5dxd5aOz91/EQDOrgT6khvjQp818wf lseoEPDPicAhgCh6DkFPN5KDvSrVWAsjG5PKQ= MIME-Version: 1.0 Received: by 10.52.72.83 with SMTP id b19mr9407465vdv.24.1329236814362; Tue, 14 Feb 2012 08:26:54 -0800 (PST) Received: by 10.220.192.135 with HTTP; Tue, 14 Feb 2012 08:26:54 -0800 (PST) In-Reply-To: <20120215014738.O95093@sola.nimnet.asn.au> References: <20120210145604.Horde.ewjpSpjmRSRPNSH0YRHxgAk@webmail.leidinger.net> <20120214123755.Horde.WkLNcJjmRSRPOkeTw7bUClA@webmail.leidinger.net> <20120215014738.O95093@sola.nimnet.asn.au> Date: Tue, 14 Feb 2012 08:26:54 -0800 Message-ID: From: Freddie Cash To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Custom kernel poll summary (was: Re: Reducing the need to compile a custom kernel) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2012 16:26:55 -0000 On Tue, Feb 14, 2012 at 7:43 AM, Ian Smith wrote: > On Tue, 14 Feb 2012 2:37:55 +0100, Alexander Leidinger wrote: > =C2=A0> 1 IPSTEALTH =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0-> changes ipfw module only? > > I don't think this is specific to ipfw. =C2=A0From /sys/conf/NOTES: > > # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding > # packets without touching the TTL). =C2=A0This can be useful to hide fir= ewalls > # from traceroute and similar tools. > > But can it be disabled once added to kernel? =C2=A0It's no good as a defa= ult. It's controllable via sysctl once it's compiled into the kernel. If it's not compiled into the kernel, then the sysctl doesn't exist. > =C2=A0> 1 IPFIREWALL_VERBOSE_LIMIT=3D5 =C2=A0 =C2=A0 -> changes ipfw modu= le only? > =C2=A0> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0loader tunabl= e? This is controllable via sysctl. Not sure if it needs to be compiled into the kernel before it's controllable via sysctl, though. We have compiled into all our firewall kernels (with a default of 1000), then change it via sysctl when needed. > =C2=A0> 1 IPFIREWALL_VERBOSE =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ->= changes ipfw module only? > =C2=A0> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0loader tunabl= e? > > sysctl.conf: net.inet.ip.fw.verbose and net.inet.ip.fw.verbose_limit Ah, you list the sysctls that control the last two. :) --=20 Freddie Cash fjwcash@gmail.com