From owner-freebsd-security Sat Jan 22 0:15:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta4.snfc21.pbi.net (mta4.snfc21.pbi.net [206.13.28.142]) by hub.freebsd.org (Postfix) with ESMTP id 9E2F014F88 for ; Sat, 22 Jan 2000 00:15:50 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta4.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FOQ0032C9L1XG@mta4.snfc21.pbi.net> for freebsd-security@FreeBSD.org; Sat, 22 Jan 2000 00:15:03 -0800 (PST) Date: Sat, 22 Jan 2000 00:16:09 -0800 From: The Mad Scientist Subject: Re: TCP/IP In-reply-to: X-Sender: i289861@mail.thegrid.net To: freebsd-security@FreeBSD.org Message-id: <4.1.20000122001259.00973ea0@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" References: <002801bf61de$b2663560$0900000a@server> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I also use these two options from LINT: # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. # This is useful on systems which are exposed to SYN floods (e.g. IRC servers) # or any system which one does not want to be easily portscannable. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST And of course, ICMP_BANDLIM # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. options "ICMP_BANDLIM" This is on a -stable machine. -Dean At 11:41 AM 1/18/00 -0600, you wrote: >On Tue, 18 Jan 2000, Jonathan Fortin wrote: >> I noticed that most of the firewalls out there don't cover protection e.g, >on a denial of service attack, it should ignore the whole protocol >> but only allow packets with 3k in lenght. etc. > >The only real DoS 'thing' I've noticed is the ICMP_BANDLIM to limit icmp >error responses, which works fairly well. Most of the DoS stuff, IMHO, >should be done at the router, and the one on the input-end of the link if >you can. This protects the link as well as the host. Amplifiers can really >overwhelm a link... Of course, if you are using FreeBSD as your router, >this becomes very implrtant on the host again, right Dennis? > >I would *love* to hear what others have done besides the usual ipfw rules. >Thanks - Jy@ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message