On Thu, 23 Nov 2000 15:28:40 +0100, you wrote:
and, according to the ip_always_defrag kernel option question I would like to ask you what other kernel options are recommended to install to have improved security on an ipchains paketfilter box.
Hi. This is an excerpt from one of my fws: (note comments are in Spanish; check url that somebody gave about /proc fs :-))) ## Habilitamos la defragmentacion automatica en el kernel echo 1 > /proc/sys/net/ipv4/ip_always_defrag ## Filtrar paquetes fragmentados (no deberian llegar, el kernel defragmenta antes) ipchains -A input -f -j DENY -l ## Habilitar SYN cookies en el kernel (proteccion contra SYN flood) echo 1 >/proc/sys/net/ipv4/tcp_syncookies ## Habilitar en el kernel la proteccion contra Spoofing (Source Address Verification) for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done ## Deshabilitar en el kernel los ICMP-redirects for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done ## Deshabilitar en el kernel los paquetes con source-routing for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done Regards. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~