Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Feb 2012 08:26:54 -0800
From:      Freddie Cash <fjwcash@gmail.com>
To:        freebsd-stable@freebsd.org
Subject:   Re: Custom kernel poll summary (was: Re: Reducing the need to compile a custom kernel)
Message-ID:  <CAOjFWZ6f5QtGY7pVVBgHj%2BxhSJ_QARKPaOjq=ZnfxVz4V-gDGQ@mail.gmail.com>
In-Reply-To: <20120215014738.O95093@sola.nimnet.asn.au>
References:  <20120210145604.Horde.ewjpSpjmRSRPNSH0YRHxgAk@webmail.leidinger.net> <20120214123755.Horde.WkLNcJjmRSRPOkeTw7bUClA@webmail.leidinger.net> <20120215014738.O95093@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Feb 14, 2012 at 7:43 AM, Ian Smith <smithi@nimnet.asn.au> wrote:
> On Tue, 14 Feb 2012 2:37:55 +0100, Alexander Leidinger wrote:
> =C2=A0> 1 IPSTEALTH =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0-> changes ipfw module only?
>
> I don't think this is specific to ipfw. =C2=A0From /sys/conf/NOTES:
>
> # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
> # packets without touching the TTL). =C2=A0This can be useful to hide fir=
ewalls
> # from traceroute and similar tools.
>
> But can it be disabled once added to kernel? =C2=A0It's no good as a defa=
ult.

It's controllable via sysctl once it's compiled into the kernel.  If
it's not compiled into the kernel, then the sysctl doesn't exist.

> =C2=A0> 1 IPFIREWALL_VERBOSE_LIMIT=3D5 =C2=A0 =C2=A0 -> changes ipfw modu=
le only?
> =C2=A0> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0loader tunabl=
e?

This is controllable via sysctl.  Not sure if it needs to be compiled
into the kernel before it's controllable via sysctl, though.   We have
compiled into all our firewall kernels (with a default of 1000), then
change it via sysctl when needed.

> =C2=A0> 1 IPFIREWALL_VERBOSE =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ->=
 changes ipfw module only?
> =C2=A0> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0loader tunabl=
e?
>
> sysctl.conf: net.inet.ip.fw.verbose and net.inet.ip.fw.verbose_limit

Ah, you list the sysctls that control the last two.  :)

--=20
Freddie Cash
fjwcash@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ6f5QtGY7pVVBgHj%2BxhSJ_QARKPaOjq=ZnfxVz4V-gDGQ>