Re: Kernel options for FW?

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Cy Schubert - ITSD Open Systems Group, sie wrote
> > options IPFORWSRCRT=0 //Turn off source routing.
>
> Under FreeBSD you would use,
>
> ipfw deny ... ipoptions ssrr
> ipfw deny ... ipoptions lsrr
> ipfw deny ... ipoptions rr

Or if using IP Filter on FreeBSD:

block in all with ipopt lsrr
block in all with ipopt ssrr

(You shouldn't need to block the Record-Route option (rr) as it doesn't
 actually effect routing, just records it).

> > options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't
> >                   //need to run as root.
>
> There is no equivalent in FreeBSD-stable.  I'm not sure whether -current has 
> it.

I've posted a bunch of patches for BIND 8.1.1 which allow config options
to change the user it runs as and to have it run chroot'd, so this should
not be as much of a worry.

> > options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel.
>
> The FreeBSD default is BLOCK and is defined as rule 65535.  If you wish to 
> make the default PASS, then you'd define rule 65534 with the pass option.

Since I'm at `fault' or `to blame' here, I'll add a comment or two.

In my experience, defaulting to block in a system which isn't sold as a
firewall caused more problems than it was worth ;)

And so, IP Filter for FreeBSD requires the same.