Re: Kernel options for FW?

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Adam Shostack, sie wrote
> (This is not meant to spark a religious war.  I'm asking for help
> configuring a kernel, and comparing kernel security features between
> FreeBSD and NetBSD to make a reasonable decision.)
>
> On Netbsd, I'd enable the following options.  I can't find equivilents
> to these on FreeBSD.  Do they exist, and what are they?   Also, I know
> Freebsd sets kernel security wrong (-1) by default, and that needs to
> be fixed.  Are there other things that I should know about on Freebsd
> to do everything right?

I'm using FreeBSD 2.2.5 here...

> options IPFORWSRCRT=0 //Turn off source routing.

net.inet.ip.sourceroute: 0

> options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't
>                     //need to run as root.

net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 1024

Might be worth investigating for what these can offer to you.  I've not
played with these but it might be interesting :-)

Although, I think these affect what binding to port 0 does...

[...]

You should check that the following sysctl variable is off unless you
need it on:

net.inet.ip.forwarding

You might also want to think about

net.inet.ip.redirect