From owner-freebsd-doc Tue Jul 11 0:30: 6 2000 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id CC56D37B660 for ; Tue, 11 Jul 2000 00:30:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id AAA83453; Tue, 11 Jul 2000 00:30:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from draenor.org (draenor.org [196.36.119.129]) by hub.freebsd.org (Postfix) with ESMTP id 8917337B91E for ; Tue, 11 Jul 2000 00:27:24 -0700 (PDT) (envelope-from marcs@draenor.org) Received: from marcs by draenor.org with local (Exim 3.15 #1) id 13BuQw-0009nT-00 for FreeBSD-gnats-submit@freebsd.org; Tue, 11 Jul 2000 09:26:22 +0200 Message-Id: Date: Tue, 11 Jul 2000 09:26:22 +0200 From: Marc Silver Reply-To: marcs@draenor.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: docs/19841: Change to dialup firewalling article Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19841 >Category: docs >Synopsis: Change to dialup firewalling article >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 11 00:30:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Marc Silver >Release: FreeBSD 4.0-STABLE i386 >Organization: >Environment: N/A >Description: Changes to the natd command under FreeBSD 3.5 require a minor change to the document. Also added some notes on additional security options for the KERNEL. >How-To-Repeat: N/A >Fix: Please patch the file at earliest convenience. --- original.sgml Mon Jun 26 13:30:35 2000 +++ article.sgml Tue Jul 11 09:24:09 2000 @@ -96,6 +96,36 @@ + There are also some other OPTIONAL items that you can compile + into the kernel for some added security. These are not required in + order to get firewalling to work, but some more paranoid users may + want to use them. + + + + options TCP_RESTRICT_RST + + + This option blocks all TCP RST packets. This is + best used for systems that might be exposed to SYN + flooding (IRC Servers are a good example) or for those who + do not want to be easily portscannable. + + + + + options TCP_DROP_SYNFIN + + + This option ignores TCP packets with SYN and FIN. This + prevents tools such as nmap etc from identifying the TCP/IP + stack of the machine, but breaks support for RFC1644 + extensions. This is NOT recommended if the machine will be + running web server. + + + + Don't reboot once you have recompiled the kernel. Hopefully, we will need to reboot just once in order to complete the installing of the firewall. @@ -113,7 +143,8 @@ firewall_script="/etc/firewall/fwrules" natd_enable="YES" natd_interface="tun0" -natd_flags="-dynamic" +natd_flags="-dynamic" +natd_flags="-dynamic yes" #(For FreeBSD 3.5) For more information on what the above do take a look at /etc/defaults/rc.conf and read >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message