Securing FreeBSD

[Rob]

The TCP_DROP_SYNFIN option breaks support for T/TCP - see ttcp(4). This
could be used by webservers for small TCP sessions with minimum
overheard, but I don't know if any actually do it.

security(7) gives you an overview of various options. see blackhole(4)
for info on the sysctl variables you mentioned. Another option for your
kernel is ICMP_BANDLIM, though this is less necessary if you use
blackhole and a firewall.

----- Original Message -----
From: "G D McKee" <freebsd at gdmckee.com>
To: <freebsd-questions at freebsd.org>
Sent: Friday, May 16, 2003 3:30 AM
Subject: Securing FreeBSD


Hi all

I am trying to secure my freebsd box and avoid giving to much info away
to port scans.

I have found some site relating to this and have put the following lines
in /etc/sysctl.conf

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

and added these to the firewall:

options         RANDOM_IP_ID
options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN

Can someone explain to me why the TCP_DROP_SYNFIN option breaks web
access?  It doesn't seem to have made any changes that I have noticed.
I can't find any docs regarding this to explain what it might break.
Does anyone know any other variables to add to make me more secure?

Thanks in advance

Gordon
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"