network security sysctl mib's

Melvyn Sopacua freebsd-questions at webteckies.org
Wed Dec 3 13:19:06 PST 2003 

On Tuesday 02 December 2003 18:29, fbsd_user wrote:

> Thank you for responding with pointers to where I
> can find some very limited documented info on the
> MIB's I asked about.

You're welcome.


> The only conclusion one can draw from the test results is that
> IPFILTER gets access to the packets before the log_in_vain  Mib
> does.  To extrapolate on this, it would indicate the other network
> security Mibs I pointed out in my original post are in the same boat
> as log_in_vain.

I haven't looked at specifics, but this sounds logical to me. MIB's control or 
inform about system states. A firewall's task is to prevent stuff from 
entering the system.

> The remaining question then is does the IPFW firewall work the same
> way. If it does then all those network security Mib's only have
> effect on FBSD systems that are not running an firewall.

Not necessarily. You blocked all traffic, so the system does not register the 
specific event you're looking at. Did you try just enabling the firewall but 
setting an "allow all" rule?


> It's my opinion that in today's world of such emphasis on network
> security that an clear understand of these MIB's are absolutely
> necessary, indispensable, requisite information that has to be
> disseminated to the FBSD community and not buried in some obscure,
> very hard to find place like it currently is.

Documentation on many MIB's is hard to find indeed. Maybe you should join the 
documentation team to help out - but - in this specific case, the 2 ( ipfw2 
on -CURRENT makes 3 even) firewall implementations are well documented and 
should instead be used if one is concerned about security, because they can 
log and handle anything *before* it enters the system.

> Here is the documentation I created in the sysctl.conf file. What do
> you think about it?

I would have to look at specifics and I think security at freebsd.org would be a 
more appropreate place to get some definitive answers.

-- 
Melvyn

=======================================================
FreeBSD sarevok.idg.nl 5.2-BETA FreeBSD 5.2-BETA #0: Wed Dec  3 20:13:44 CET 
2003     root at sarevok.webteckies.org:/usr/obj/usr/src/sys/SAREVOK_NOACPI  
i386
=======================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031203/6d3c4a83/attachment.bin

More information about the freebsd-questions mailing list