From owner-freebsd-security Thu Jan 20 21:40: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 69C9215291 for ; Thu, 20 Jan 2000 21:39:57 -0800 (PST) (envelope-from brett@lariat.org) Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA14892; Thu, 20 Jan 2000 22:16:29 -0700 (MST) Message-Id: <4.2.2.20000120220649.018faa80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 20 Jan 2000 22:16:26 -0700 To: Matthew Dillon , Alfred Perlstein From: Brett Glass Subject: Re: stream.c worst-case kernel paths Cc: security@FreeBSD.ORG In-Reply-To: <200001210351.TAA55516@apollo.backplane.com> References: <4.2.2.20000120182425.01886ec0@localhost> <20000120195257.G14030@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:51 PM 1/20/2000 , Matthew Dillon wrote: > ICMP_BANDLIM has been in the tree for some time now and I have never > received a bad bug report from people using it. I might recommend > increasing the default net.inet.icmp.icmplim from 100 to 200, but > otherwise I think it could be turned on by default without causing > any ill effects. > > I would personally prefer that we wait until after the 4.0 release > before changing the default to on. How about one of the "golden" releases along 3.X-STABLE? After all, those of us who are conservative will not be deploying 4.X in mission-critical applications until the 4.1 or 4.2 point release (depending on how well things go). I'd certainly like to see TCP_RESTRICT_RST on by default. Blocking RSTs is getting to be a standard feature. Our lab's Windows boxes run BlackIce Defender, which does this, and it makes them pretty resilient. And is there any reason NOT to turn on TCP_DROP_SYNFIN? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message