Attachment #9752 for bug #19841

View | Details | Raw Unified | Return to bug 19841
Collapse All | Expand All




      </varlistentry>
    </variablelist>

    <para>There are also some other OPTIONAL items that you can compile
     into the kernel for some added security.  These are not required in
     order to get firewalling to work, but some more paranoid users may
     want to use them.</para>

    <variablelist>
      <varlistentry>
	<term><literal>options TCP_RESTRICT_RST</literal></term>

	<listitem>
	  <para>This option blocks all TCP RST packets.  This is
	    best used for systems that might be exposed to SYN 
	    flooding (IRC Servers are a good example) or for those who 
     	    do not want to be easily portscannable.</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><literal>options TCP_DROP_SYNFIN</literal></term>

	<listitem>
	  <para>This option ignores TCP packets with SYN and FIN.  This
	   prevents tools such as nmap etc from identifying the TCP/IP
 	   stack of the machine, but breaks support for RFC1644
	   extensions.  This is NOT recommended if the machine will be
	   running web server.</para>
	</listitem>
      </varlistentry>
     </variablelist>

    <para>Don't reboot once you have recompiled the kernel. Hopefully, we will
      need to reboot just once in order to complete the installing of the
      firewall.</para>

firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"
natd_flags="-dynamic yes" #(For FreeBSD 3.5)</programlisting>

    <para>For more information on what the above do take a look at
      <filename>/etc/defaults/rc.conf</filename> and read

Return to bug 19841

Lines 96-101 Link Here

(-)article.sgml (-1 / +32 lines)
96	</varlistentry>	96	</varlistentry>
97	</variablelist>	97	</variablelist>
98		98
		99	<para>There are also some other OPTIONAL items that you can compile
		100	into the kernel for some added security. These are not required in
		101	order to get firewalling to work, but some more paranoid users may
		102	want to use them.</para>
		103
		104	<variablelist>
		105	<varlistentry>
		106	<term><literal>options TCP_RESTRICT_RST</literal></term>
		107
		108	<listitem>
		109	<para>This option blocks all TCP RST packets. This is
		110	best used for systems that might be exposed to SYN
		111	flooding (IRC Servers are a good example) or for those who
		112	do not want to be easily portscannable.</para>
		113	</listitem>
		114	</varlistentry>
		115
		116	<varlistentry>
		117	<term><literal>options TCP_DROP_SYNFIN</literal></term>
		118
		119	<listitem>
		120	<para>This option ignores TCP packets with SYN and FIN. This
		121	prevents tools such as nmap etc from identifying the TCP/IP
		122	stack of the machine, but breaks support for RFC1644
		123	extensions. This is NOT recommended if the machine will be
		124	running web server.</para>
		125	</listitem>
		126	</varlistentry>
		127	</variablelist>
		128
99	<para>Don't reboot once you have recompiled the kernel. Hopefully, we will	129	<para>Don't reboot once you have recompiled the kernel. Hopefully, we will
100	need to reboot just once in order to complete the installing of the	130	need to reboot just once in order to complete the installing of the
101	firewall.</para>	131	firewall.</para>
Lines 113-119 Link Here
113	firewall_script="/etc/firewall/fwrules"	143	firewall_script="/etc/firewall/fwrules"
114	natd_enable="YES"	144	natd_enable="YES"
115	natd_interface="tun0"	145	natd_interface="tun0"
116	natd_flags="-dynamic"</programlisting>	146	natd_flags="-dynamic"
		147	natd_flags="-dynamic yes" #(For FreeBSD 3.5)</programlisting>
117		148
118	<para>For more information on what the above do take a look at	149	<para>For more information on what the above do take a look at
119	<filename>/etc/defaults/rc.conf</filename> and read	150	<filename>/etc/defaults/rc.conf</filename> and read