From owner-freebsd-questions@FreeBSD.ORG Tue Dec 2 04:31:00 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85CEF16A4CE for ; Tue, 2 Dec 2003 04:31:00 -0800 (PST) Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD9AB43FBF for ; Tue, 2 Dec 2003 04:30:58 -0800 (PST) (envelope-from listone@deathbeforedecaf.net) Received: from goo.0x7e.net ([203.38.184.164] helo=goo) by zim.0x7e.net with smtp (Exim 3.36 #1) id 1AR9g6-0005vu-00; Tue, 02 Dec 2003 23:00:54 +1030 Message-ID: <005301c3b8d0$20f6f630$a4b826cb@goo> From: "Rob" To: , "freebsd-questions@FreeBSD. ORG" References: Date: Tue, 2 Dec 2003 23:00:53 +1030 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4927.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4927.1200 Subject: Re: network security sysctl mib's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 12:31:00 -0000 Using apropos sysctl we get a list of several manpages, including blackhole(4), sysctl(3), sysctl(8) and sysctl.conf(5). These refer to several other sources, including ip(4), tcp(4), udp(4) and rc.conf(5) - they also mention , , , and if you want to study the variables first-hand. ----- Original Message ----- From: "fbsd_user" Subject: network security sysctl mib's > The sysctl.conf file contains MIB's to change the default setting of > internal options of the kernel at boot up time. > I have found these MIB's when I display all the sysctl's. > > These deal with how packets entering the FBSD system are handled by > default. > There are no man info on any MIB's. > > I an looking for an description of what these do and > why I would want to turn them on. > > There must be some network security reason or problem > that these address or they would not have been created > in the first place. > > Are these MIB's only intended to be used on FBSD systems > that do not have firewalls? > > When do these MIB's get control > in the kernel, as they relate to IPFW or IPFILTER > firewall seeing the packets? > [IE: do they all process against the packet before the packet > is handed off to the firewall or after the firewall has done > it's thing and hands the packet back to the kernel?]. > > Since these are network security MIB's why are they not documented > someplace? > They can have an large impact on the security of one's FBSD system, > and should be made known to the general administrator of the FBSD > system and the firewall administrator. > > I know I need an FBSD developer who makes code changes to the kernel > to review the internal FBSD kernel code to answer these questions. I > hope someone will help me in this. > > net.inet.icmp.drop_redirect=1 > net.inet.icmp.log_redirect=0 > net.inet.ip.redirect=0 > > net.inet.ip.sourceroute=0 > net.inet.ip.accept_sourceroute=0 > > net.inet.icmp.bmcastecho=0 > > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > > net.inet.tcp.log_in_vain=1 > net.inet.udp.log_in_vain=1 > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >