Date: Tue, 2 Dec 2003 23:00:53 +1030 From: "Rob" <listone@deathbeforedecaf.net> To: <fbsd_user@a1poweruser.com>, "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: network security sysctl mib's Message-ID: <005301c3b8d0$20f6f630$a4b826cb@goo> References: <MIEPLLIBMLEEABPDBIEGOECCEPAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Using
apropos sysctl
we get a list of several manpages, including blackhole(4), sysctl(3),
sysctl(8) and sysctl.conf(5).
These refer to several other sources, including ip(4), tcp(4), udp(4) and
rc.conf(5) - they also mention <sys/sysctl.h>, <sys/socket.h>,
<netinet/in.h>, <netinet/icmp_var.h> and <netinet/udp_var.h> if you want to
study the variables first-hand.
----- Original Message -----
From: "fbsd_user" <fbsd_user@a1poweruser.com>
Subject: network security sysctl mib's
> The sysctl.conf file contains MIB's to change the default setting of
> internal options of the kernel at boot up time.
> I have found these MIB's when I display all the sysctl's.
>
> These deal with how packets entering the FBSD system are handled by
> default.
> There are no man info on any MIB's.
>
> I an looking for an description of what these do and
> why I would want to turn them on.
>
> There must be some network security reason or problem
> that these address or they would not have been created
> in the first place.
>
> Are these MIB's only intended to be used on FBSD systems
> that do not have firewalls?
>
> When do these MIB's get control
> in the kernel, as they relate to IPFW or IPFILTER
> firewall seeing the packets?
> [IE: do they all process against the packet before the packet
> is handed off to the firewall or after the firewall has done
> it's thing and hands the packet back to the kernel?].
>
> Since these are network security MIB's why are they not documented
> someplace?
> They can have an large impact on the security of one's FBSD system,
> and should be made known to the general administrator of the FBSD
> system and the firewall administrator.
>
> I know I need an FBSD developer who makes code changes to the kernel
> to review the internal FBSD kernel code to answer these questions. I
> hope someone will help me in this.
>
> net.inet.icmp.drop_redirect=1
> net.inet.icmp.log_redirect=0
> net.inet.ip.redirect=0
>
> net.inet.ip.sourceroute=0
> net.inet.ip.accept_sourceroute=0
>
> net.inet.icmp.bmcastecho=0
>
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
>
> net.inet.tcp.log_in_vain=1
> net.inet.udp.log_in_vain=1
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005301c3b8d0$20f6f630$a4b826cb>