Firewall Wizards mailing list archives
Re: Kernel options for FW?
From: Brian Mitchell <brian () firehouse net>
Date: Thu, 18 Dec 1997 12:07:29 -0500 (EST)
On Thu, 18 Dec 1997, Adam Shostack wrote:
(This is not meant to spark a religious war. I'm asking for help configuring a kernel, and comparing kernel security features between FreeBSD and NetBSD to make a reasonable decision.) On Netbsd, I'd enable the following options. I can't find equivilents to these on FreeBSD. Do they exist, and what are they? Also, I know Freebsd sets kernel security wrong (-1) by default, and that needs to be fixed. Are there other things that I should know about on Freebsd to do everything right? options IPFORWSRCRT=0 //Turn off source routing.
THis is a sysctl, i believe. sysctl -a to check.
options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't //need to run as root.
Last time I checked (which was some time ago) freebsd did not have this. OpenBSD developer thinks this is a horrible idea, for various reasons he can elaborate on. I wrote a sysctlable variable that does this on a per port basis, but besides hacking the kernel a bit, I don't know of any way to do it. I'm sure someone more familiar with -current and newer -releases will be of more assistance.
options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel.
This is the default in ipfw. Last time I built it, it was hardcoded, although there was a way (ioctl?) to change it.
options FDSCRIPTS // Allow a script to be run if it is x only, by // passing a file descriptor to the interpreter, // avoiding some race conditions.
Absolutely no idea on this one.
Current thread:
- Kernel options for FW? Adam Shostack (Dec 19)
- Re: Kernel options for FW? Brian Mitchell (Dec 19)
- Re: Kernel options for FW? Alex Nash (Dec 19)
- Re: Kernel options for FW? Cy Schubert - ITSD Open Systems Group (Dec 19)
- Re: Kernel options for FW? Darren Reed (Dec 21)
- Re: Kernel options for FW? Darren Reed (Dec 21)