Date: Thu, 08 Mar 2001 13:47:49 -0600 From: Christopher Schulte <christopher@schulte.org> To: Brooks Davis <brooks@one-eyed-alien.net> Cc: "oldfart@gtonet" <oldfart@gtonet.net>, security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <5.0.2.1.0.20010308134342.02761e70@pop.schulte.org> In-Reply-To: <20010308113347.A7928@Odin.AC.HMC.Edu> References: <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org> <BIEHKEFNHFMMJEKCDMLNAEBHCGAA.oldfart@gtonet.net> <20010308100755.A13090@Odin.AC.HMC.Edu> <BIEHKEFNHFMMJEKCDMLNAEBHCGAA.oldfart@gtonet.net> <20010308103500.C13090@Odin.AC.HMC.Edu> <5.0.2.1.0.20010308130833.00adec88@pop.schulte.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:33 AM 3/8/2001 -0800, Brooks Davis wrote: >On Thu, Mar 08, 2001 at 01:12:41PM -0600, Christopher Schulte wrote: > > You can convince the kernel to use a more user-defined port range(s) for > > dynamic outbound connections with a few sysctl vars, thus making firewall > > confs a bit easier to craft and maintain: > > > > `sysctl -a | grep portrange` > >Is there some actual documentation on what these do somewhere? Just >being able to limit the range of arbitrary ports don't do anything, but >I can't see what else you could do with these. If you told the kernel to initiate all outbound connections between say ports 2000-4000, then you wouldn't have to worry about filtering lower ports, to kick those pesky rpc services - which as was mentioned cannot always be told to live on a user defined port. As far as docs: Yah, do a man on ip(4) or http://people.freebsd.org/~adrian/sysctl.descriptions >-- Brooks > >-- >Any statement of the form "X is the one, true Y" is FALSE. >PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.0.20010308134342.02761e70>