FreeBSD IPFW/IPFILTER & sysctl MIB's

fbsd_user fbsd_user at a1poweruser.com
Sun Dec 7 08:49:46 PST 2003 

Renaud


Read your how-to at http://renaud.waldura.com/doc/freebsd/firewall/
and first want to say I can tell from what you wrote that you really
know your security subject. The only think lacking, is your IPFW
rules are all stateless,  you should really address the subject of
only using stateful rules [ie: keep state] on all allow rules.  I am
glad to meet you.

All the things below which I cut out of your how-to are MIB's in
sysctl, enabling them in the kernel source, or the setup rc.conf, or
in sysctl  really makes no difference.

I have asked this question repeatedly over the months in the FBSD
questions list and get no answer so I ran my own test bench tests.

The question is,  who get access to the packets first, these MIB's
or the firewall?

 Now  my test bench tests demonstrate that once IPFW or IPFILTER is
enabled  either in the kernel source or in the rc.conf to load the
module, all these  MIBS are for all practical purposes become
inactive.  I used log-in-vain because it gives log message when it
drops an packet  and it stops issuing messages when the firewall
gets enabled.  I am not an accomplished code reader so I could not
follow the original FBSD system source code. But it looks like at
the very least the firewall code gets access to the packets before
the MIB's do, and all the things the MIB's are suppose to do are
taken care of by the firewall before the MIB's get their turn at the
packets.  OR at the very worse the firewall code replaces the code
where these MIB's live and they never get there turn at the packets.
What is happening at this level of the system is way over my
abilities to figure out.

It's my conclusions that these MIB's and some others are only
effective without an firewall, they are really an poor man's
firewall. Now there is no documentation in FBSD that talks about
this, the man pages are so cryptic and ambiguous that it's useless,
all they say is that these MIB's exist, what good is that?  Don't
get me started on the poor sub standard quality of FBSD
documentation, that's a whole another question.

Since these MIB's seem not to cause any harm when used with an
firewall I all ways recommend to enable them in sysctl, one can not
be to safe.

Can you shed any light on this question?  Thanks



In kernel source
options         TCP_DROP_SYNFIN         # drop TCP packets with
SYN+FIN
options         TCP_RESTRICT_RST        # restrict emission of TCP
RST
options         ICMP_BANDLIM            # rate limit ICMP replies

In rc.conf
tcp_drop_synfin=YES
tcp_restrict_rst=YES
icmp_bmcastecho=NO
icmp_drop_redirect=YES
icmp_log_redirect=YES

sysctl.conf
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1

More information about the freebsd-questions mailing list