From marcs@draenor.org  Tue Jul 11 00:27:28 2000
Return-Path: <marcs@draenor.org>
Received: from draenor.org (draenor.org [196.36.119.129])
	by hub.freebsd.org (Postfix) with ESMTP id 8917337B91E
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 11 Jul 2000 00:27:24 -0700 (PDT)
	(envelope-from marcs@draenor.org)
Received: from marcs by draenor.org with local (Exim 3.15 #1)
	id 13BuQw-0009nT-00
	for FreeBSD-gnats-submit@freebsd.org; Tue, 11 Jul 2000 09:26:22 +0200
Message-Id: <E13BuQw-0009nT-00@draenor.org>
Date: Tue, 11 Jul 2000 09:26:22 +0200
From: Marc Silver <marcs@draenor.org>
Reply-To: marcs@draenor.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: Change to dialup firewalling article
X-Send-Pr-Version: 3.2

>Number:         19841
>Category:       docs
>Synopsis:       Change to dialup firewalling article
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 11 00:30:00 PDT 2000
>Closed-Date:    Tue Jul 11 03:21:57 PDT 2000
>Last-Modified:  Tue Jul 11 03:22:19 PDT 2000
>Originator:     Marc Silver
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
>Environment:

	N/A

>Description:

	Changes to the natd command under FreeBSD 3.5 require a 
	minor change to the document.  Also added some notes on 
	additional security options for the KERNEL.

>How-To-Repeat:

	N/A

>Fix:

Please patch the file at earliest convenience.

--- original.sgml	Mon Jun 26 13:30:35 2000
+++ article.sgml	Tue Jul 11 09:24:09 2000
@@ -96,6 +96,36 @@
       </varlistentry>
     </variablelist>
 
+    <para>There are also some other OPTIONAL items that you can compile
+     into the kernel for some added security.  These are not required in
+     order to get firewalling to work, but some more paranoid users may
+     want to use them.</para>
+
+    <variablelist>
+      <varlistentry>
+	<term><literal>options TCP_RESTRICT_RST</literal></term>
+
+	<listitem>
+	  <para>This option blocks all TCP RST packets.  This is
+	    best used for systems that might be exposed to SYN 
+	    flooding (IRC Servers are a good example) or for those who 
+     	    do not want to be easily portscannable.</para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term><literal>options TCP_DROP_SYNFIN</literal></term>
+
+	<listitem>
+	  <para>This option ignores TCP packets with SYN and FIN.  This
+	   prevents tools such as nmap etc from identifying the TCP/IP
+ 	   stack of the machine, but breaks support for RFC1644
+	   extensions.  This is NOT recommended if the machine will be
+	   running web server.</para>
+	</listitem>
+      </varlistentry>
+     </variablelist>
+
     <para>Don't reboot once you have recompiled the kernel. Hopefully, we will
       need to reboot just once in order to complete the installing of the
       firewall.</para>
@@ -113,7 +143,8 @@
 firewall_script="/etc/firewall/fwrules"
 natd_enable="YES"
 natd_interface="tun0"
-natd_flags="-dynamic"</programlisting>
+natd_flags="-dynamic"
+natd_flags="-dynamic yes" #(For FreeBSD 3.5)</programlisting>
 
     <para>For more information on what the above do take a look at
       <filename>/etc/defaults/rc.conf</filename> and read

>Release-Note:
>Audit-Trail:

From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: Marc Silver <marcs@draenor.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/19841: Change to dialup firewalling article
Date: Tue, 11 Jul 2000 10:55:18 +0200

 On Tue 2000-07-11 (09:26), Marc Silver wrote:
 > @@ -113,7 +143,8 @@
 >  firewall_script="/etc/firewall/fwrules"
 >  natd_enable="YES"
 >  natd_interface="tun0"
 > -natd_flags="-dynamic"</programlisting>
 > +natd_flags="-dynamic"
 > +natd_flags="-dynamic yes" #(For FreeBSD 3.5)</programlisting>
 
 You sure about this one, Marc?  It doesn't seem to do that here.
 
 Neil
 -- 
 Neil Blakey-Milner
 Sunesi Clinical Systems
 nbm@mithrandr.moria.org
 
State-Changed-From-To: open->closed 
State-Changed-By: nbm 
State-Changed-When: Tue Jul 11 03:21:57 PDT 2000 
State-Changed-Why:  
Updated, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19841 
>Unformatted:
