Date: Tue, 11 Jul 2000 09:26:22 +0200 From: Marc Silver <marcs@draenor.org> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/19841: Change to dialup firewalling article Message-ID: <E13BuQw-0009nT-00@draenor.org>
next in thread | raw e-mail | index | archive | help
>Number: 19841 >Category: docs >Synopsis: Change to dialup firewalling article >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 11 00:30:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Marc Silver >Release: FreeBSD 4.0-STABLE i386 >Organization: >Environment: N/A >Description: Changes to the natd command under FreeBSD 3.5 require a minor change to the document. Also added some notes on additional security options for the KERNEL. >How-To-Repeat: N/A >Fix: Please patch the file at earliest convenience. --- original.sgml Mon Jun 26 13:30:35 2000 +++ article.sgml Tue Jul 11 09:24:09 2000 @@ -96,6 +96,36 @@ </varlistentry> </variablelist> + <para>There are also some other OPTIONAL items that you can compile + into the kernel for some added security. These are not required in + order to get firewalling to work, but some more paranoid users may + want to use them.</para> + + <variablelist> + <varlistentry> + <term><literal>options TCP_RESTRICT_RST</literal></term> + + <listitem> + <para>This option blocks all TCP RST packets. This is + best used for systems that might be exposed to SYN + flooding (IRC Servers are a good example) or for those who + do not want to be easily portscannable.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>options TCP_DROP_SYNFIN</literal></term> + + <listitem> + <para>This option ignores TCP packets with SYN and FIN. This + prevents tools such as nmap etc from identifying the TCP/IP + stack of the machine, but breaks support for RFC1644 + extensions. This is NOT recommended if the machine will be + running web server.</para> + </listitem> + </varlistentry> + </variablelist> + <para>Don't reboot once you have recompiled the kernel. Hopefully, we will need to reboot just once in order to complete the installing of the firewall.</para> @@ -113,7 +143,8 @@ firewall_script="/etc/firewall/fwrules" natd_enable="YES" natd_interface="tun0" -natd_flags="-dynamic"</programlisting> +natd_flags="-dynamic" +natd_flags="-dynamic yes" #(For FreeBSD 3.5)</programlisting> <para>For more information on what the above do take a look at <filename>/etc/defaults/rc.conf</filename> and read >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E13BuQw-0009nT-00>