Date: Sun, 21 Dec 1997 19:54:13 +1100 (EST) From: Darren Reed <darrenr@cyber.com.au> To: cschuber@uumail.gov.bc.ca Cc: adam@homeport.org, firewall-wizards@nfr.net, freebsd-security@freebsd.org Subject: Re: Kernel options for FW? Message-ID: <199712210854.TAA09356@plum.cyber.com.au> In-Reply-To: <199712191538.HAA00996@cwsys.cwsent.com> from "Cy Schubert - ITSD Open Systems Group" at Dec 19, 97 07:37:59 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail I received from Cy Schubert - ITSD Open Systems Group, sie wrote > > > options IPFORWSRCRT=0 //Turn off source routing. > > Under FreeBSD you would use, > > ipfw deny ... ipoptions ssrr > ipfw deny ... ipoptions lsrr > ipfw deny ... ipoptions rr Or if using IP Filter on FreeBSD: block in all with ipopt lsrr block in all with ipopt ssrr (You shouldn't need to block the Record-Route option (rr) as it doesn't actually effect routing, just records it). > > options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't > > //need to run as root. > > There is no equivalent in FreeBSD-stable. I'm not sure whether -current has > it. I've posted a bunch of patches for BIND 8.1.1 which allow config options to change the user it runs as and to have it run chroot'd, so this should not be as much of a worry. > > options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel. > > The FreeBSD default is BLOCK and is defined as rule 65535. If you wish to > make the default PASS, then you'd define rule 65534 with the pass option. Since I'm at `fault' or `to blame' here, I'll add a comment or two. In my experience, defaulting to block in a system which isn't sold as a firewall caused more problems than it was worth ;) And so, IP Filter for FreeBSD requires the same.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712210854.TAA09356>