Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Kernel options for FW?

From: Cy Schubert - ITSD Open Systems Group <cschuber () uumail gov bc ca>
Date: Fri, 19 Dec 1997 07:37:59 -0800
(This is not meant to spark a religious war.  I'm asking for help
configuring a kernel, and comparing kernel security features between
FreeBSD and NetBSD to make a reasonable decision.)

On Netbsd, I'd enable the following options.  I can't find equivilents
to these on FreeBSD.  Do they exist, and what are they?   Also, I know
Freebsd sets kernel security wrong (-1) by default, and that needs to
be fixed.  Are there other things that I should know about on Freebsd
to do everything right?


options IPFORWSRCRT=0 //Turn off source routing.


Under FreeBSD you would use,

ipfw deny ... ipoptions ssrr
ipfw deny ... ipoptions lsrr
ipfw deny ... ipoptions rr



options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't
                    //need to run as root.


There is no equivalent in FreeBSD-stable.  I'm not sure whether -current has 
it.



options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel.


The FreeBSD default is BLOCK and is defined as rule 65535.  If you wish to 
make the default PASS, then you'd define rule 65534 with the pass option.



options FDSCRIPTS // Allow a script to be run if it is x only, by
               // passing a file descriptor to the interpreter,
               // avoiding some race conditions.


I'm not sure that I understand, but I'll attempt to answer it anyway.  Using 
divert sockets you can divert packets to an arbitrary piece of code, e.g. NAT.
To set up a divert socket you would use the divert option of ipfw.


  
Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                     -Hume







Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber () uumail gov bc ca
                                       Cy.Schubert () gems8 gov bc ca

                "Quit spooling around, JES do it."
Previous By Date Next
Previous By Thread Next

Current thread: