Date: Tue, 11 Jul 2000 09:26:22 +0200 From: Marc Silver <marcs@draenor.org> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/19841: Change to dialup firewalling article Message-ID: <E13BuQw-0009nT-00@draenor.org>
next in thread | raw e-mail | index | archive | help
>Number: 19841
>Category: docs
>Synopsis: Change to dialup firewalling article
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 11 00:30:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Marc Silver
>Release: FreeBSD 4.0-STABLE i386
>Organization:
>Environment:
N/A
>Description:
Changes to the natd command under FreeBSD 3.5 require a
minor change to the document. Also added some notes on
additional security options for the KERNEL.
>How-To-Repeat:
N/A
>Fix:
Please patch the file at earliest convenience.
--- original.sgml Mon Jun 26 13:30:35 2000
+++ article.sgml Tue Jul 11 09:24:09 2000
@@ -96,6 +96,36 @@
</varlistentry>
</variablelist>
+ <para>There are also some other OPTIONAL items that you can compile
+ into the kernel for some added security. These are not required in
+ order to get firewalling to work, but some more paranoid users may
+ want to use them.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><literal>options TCP_RESTRICT_RST</literal></term>
+
+ <listitem>
+ <para>This option blocks all TCP RST packets. This is
+ best used for systems that might be exposed to SYN
+ flooding (IRC Servers are a good example) or for those who
+ do not want to be easily portscannable.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>options TCP_DROP_SYNFIN</literal></term>
+
+ <listitem>
+ <para>This option ignores TCP packets with SYN and FIN. This
+ prevents tools such as nmap etc from identifying the TCP/IP
+ stack of the machine, but breaks support for RFC1644
+ extensions. This is NOT recommended if the machine will be
+ running web server.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
<para>Don't reboot once you have recompiled the kernel. Hopefully, we will
need to reboot just once in order to complete the installing of the
firewall.</para>
@@ -113,7 +143,8 @@
firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="tun0"
-natd_flags="-dynamic"</programlisting>
+natd_flags="-dynamic"
+natd_flags="-dynamic yes" #(For FreeBSD 3.5)</programlisting>
<para>For more information on what the above do take a look at
<filename>/etc/defaults/rc.conf</filename> and read
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E13BuQw-0009nT-00>