Date: Thu, 20 Jan 2000 22:16:26 -0700 From: Brett Glass <brett@lariat.org> To: Matthew Dillon <dillon@apollo.backplane.com>, Alfred Perlstein <bright@wintelcom.net> Cc: security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <4.2.2.20000120220649.018faa80@localhost> In-Reply-To: <200001210351.TAA55516@apollo.backplane.com> References: <4.2.2.20000120182425.01886ec0@localhost> <20000120195257.G14030@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:51 PM 1/20/2000 , Matthew Dillon wrote: > ICMP_BANDLIM has been in the tree for some time now and I have never > received a bad bug report from people using it. I might recommend > increasing the default net.inet.icmp.icmplim from 100 to 200, but > otherwise I think it could be turned on by default without causing > any ill effects. > > I would personally prefer that we wait until after the 4.0 release > before changing the default to on. How about one of the "golden" releases along 3.X-STABLE? After all, those of us who are conservative will not be deploying 4.X in mission-critical applications until the 4.1 or 4.2 point release (depending on how well things go). I'd certainly like to see TCP_RESTRICT_RST on by default. Blocking RSTs is getting to be a standard feature. Our lab's Windows boxes run BlackIce Defender, which does this, and it makes them pretty resilient. And is there any reason NOT to turn on TCP_DROP_SYNFIN? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20000120220649.018faa80>