|
9th June 2011
|
|||
|
|||
IPFW and sysctl variables questions
Hi
I'm wanting to write a simple firewall for my bastion host(mail server). In Linux you can enable source address verification as a sysctl variable. This defeats some spoofing attacks. Does "source address verification" have to be done in IPFW or is there a sysctl variable for for this? Also which icmp messages would you recommend dropping?(for the moment i don't have time to set up snort, so i want as little traffic as possible getting through) How would you recommend dealing with fragmented packets, bearing in mind that the only other firewall in front of this mail server is my border router(Internet gateway)? Thanks for any advice 
|
|
12th June 2011
|
||||
|
||||
|
You don't have to set a sysctl for source checking with IPFW. You can do:
Off the top of my head, Code:
ipfw add 00010 deny log ip from any to any not verrevpath Code:
check-state As far as icmp types, check out this website for an example ruleset where the author explains which ones he's allowed etc. http://securosis.com/blog/help-build...ules-sets-ever
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| sysctl.conf settings not loading on boot | Kuboaa | FreeBSD General | 2 | 18th November 2010 08:35 AM |
| Dereferencing sh variables | J65nko | Programming | 3 | 29th January 2010 02:34 AM |
| sysctl and cpu information and temperature | neurosis | FreeBSD General | 11 | 22nd October 2008 09:16 PM |
| Get sysctl value from a C program | DNAeon | FreeBSD Ports and Packages | 3 | 29th September 2008 07:28 PM |
| passing make args/variables to builds of prerequisite ports | jbhappy | FreeBSD Ports and Packages | 2 | 18th July 2008 02:35 PM |
Linear Mode
