From owner-freebsd-questions@FreeBSD.ORG Sun Dec 7 08:49:46 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D3CA16A4CE; Sun, 7 Dec 2003 08:49:46 -0800 (PST) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8214043F75; Sun, 7 Dec 2003 08:49:44 -0800 (PST) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([67.20.101.103]) by mta9.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20031207164948.WEMO23237.mta9.adelphia.net@barbish>; Sun, 7 Dec 2003 11:49:48 -0500 From: "fbsd_user" To: Date: Sun, 7 Dec 2003 11:49:42 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: freebsd-ipfw@freebsd.org cc: "freebsd-questions@FreeBSD. ORG" Subject: FreeBSD IPFW/IPFILTER & sysctl MIB's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 16:49:46 -0000 Renaud Read your how-to at http://renaud.waldura.com/doc/freebsd/firewall/ and first want to say I can tell from what you wrote that you really know your security subject. The only think lacking, is your IPFW rules are all stateless, you should really address the subject of only using stateful rules [ie: keep state] on all allow rules. I am glad to meet you. All the things below which I cut out of your how-to are MIB's in sysctl, enabling them in the kernel source, or the setup rc.conf, or in sysctl really makes no difference. I have asked this question repeatedly over the months in the FBSD questions list and get no answer so I ran my own test bench tests. The question is, who get access to the packets first, these MIB's or the firewall? Now my test bench tests demonstrate that once IPFW or IPFILTER is enabled either in the kernel source or in the rc.conf to load the module, all these MIBS are for all practical purposes become inactive. I used log-in-vain because it gives log message when it drops an packet and it stops issuing messages when the firewall gets enabled. I am not an accomplished code reader so I could not follow the original FBSD system source code. But it looks like at the very least the firewall code gets access to the packets before the MIB's do, and all the things the MIB's are suppose to do are taken care of by the firewall before the MIB's get their turn at the packets. OR at the very worse the firewall code replaces the code where these MIB's live and they never get there turn at the packets. What is happening at this level of the system is way over my abilities to figure out. It's my conclusions that these MIB's and some others are only effective without an firewall, they are really an poor man's firewall. Now there is no documentation in FBSD that talks about this, the man pages are so cryptic and ambiguous that it's useless, all they say is that these MIB's exist, what good is that? Don't get me started on the poor sub standard quality of FBSD documentation, that's a whole another question. Since these MIB's seem not to cause any harm when used with an firewall I all ways recommend to enable them in sysctl, one can not be to safe. Can you shed any light on this question? Thanks In kernel source options TCP_DROP_SYNFIN # drop TCP packets with SYN+FIN options TCP_RESTRICT_RST # restrict emission of TCP RST options ICMP_BANDLIM # rate limit ICMP replies In rc.conf tcp_drop_synfin=YES tcp_restrict_rst=YES icmp_bmcastecho=NO icmp_drop_redirect=YES icmp_log_redirect=YES sysctl.conf net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1