network security sysctl mib's

Rob listone at deathbeforedecaf.net
Tue Dec 2 04:31:00 PST 2003 

Using

    apropos sysctl

we get a list of several manpages, including blackhole(4), sysctl(3),
sysctl(8) and sysctl.conf(5).

These refer to several other sources, including ip(4), tcp(4), udp(4) and
rc.conf(5) - they also mention <sys/sysctl.h>, <sys/socket.h>,
<netinet/in.h>, <netinet/icmp_var.h> and <netinet/udp_var.h> if you want to
study the variables first-hand.

----- Original Message -----
From: "fbsd_user" <fbsd_user at a1poweruser.com>
Subject: network security sysctl mib's


> The sysctl.conf file contains MIB's to change the default setting of
> internal options of the kernel at boot up time.
> I have found these MIB's when I display all the sysctl's.
>
> These deal with how packets entering the FBSD system are handled by
> default.
> There are no man info on any MIB's.
>
> I an looking for an description of what these do and
> why I would want to turn them on.
>
> There must be some network security reason or problem
> that these address or they would not have been created
> in the first place.
>
> Are these MIB's only intended to be used on FBSD systems
> that do not have firewalls?
>
> When do these MIB's get control
> in the kernel, as they relate to IPFW or IPFILTER
> firewall seeing the packets?
> [IE: do they all process against the packet before the packet
> is handed off to the firewall or after the firewall has done
> it's thing and hands the packet back to the kernel?].
>
> Since these are network security MIB's why are they not documented
> someplace?
> They can have an large impact on the security of one's FBSD system,
> and should be made known to the general administrator of the FBSD
> system and the firewall administrator.
>
> I know I need an FBSD developer who makes code changes to the kernel
> to review the internal FBSD kernel code to answer these questions. I
> hope someone will help me in this.
>
> net.inet.icmp.drop_redirect=1
> net.inet.icmp.log_redirect=0
> net.inet.ip.redirect=0
>
> net.inet.ip.sourceroute=0
> net.inet.ip.accept_sourceroute=0
>
> net.inet.icmp.bmcastecho=0
>
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
>
> net.inet.tcp.log_in_vain=1
> net.inet.udp.log_in_vain=1
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list