Re: Kernel options for FW?

[Brian Mitchell <brian () firehouse net>]

On Thu, 18 Dec 1997, Adam Shostack wrote:

> (This is not meant to spark a religious war.  I'm asking for help
> configuring a kernel, and comparing kernel security features between
> FreeBSD and NetBSD to make a reasonable decision.)
>
> On Netbsd, I'd enable the following options.  I can't find equivilents
> to these on FreeBSD.  Do they exist, and what are they?   Also, I know
> Freebsd sets kernel security wrong (-1) by default, and that needs to
> be fixed.  Are there other things that I should know about on Freebsd
> to do everything right?
>
>
> options IPFORWSRCRT=0 //Turn off source routing.

THis is a sysctl, i believe. sysctl -a to check.

> options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't
>                     //need to run as root.

Last time I checked (which was some time ago) freebsd did not have this.
OpenBSD developer thinks this is a horrible idea, for various reasons he
can elaborate on. I wrote a sysctlable variable that does this on a per
port basis, but besides hacking the kernel a bit, I don't know of any way
to do it.

I'm sure someone more familiar with -current and newer -releases will be
of more assistance.

> options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel.

This is the default in ipfw. Last time I built it, it was hardcoded,
although there was a way (ioctl?) to change it.

> options FDSCRIPTS // Allow a script to be run if it is x only, by
>                // passing a file descriptor to the interpreter,
>                // avoiding some race conditions.

Absolutely no idea on this one.