apropos sysctl

we get a list of several manpages, including blackhole(4), sysctl(3),
sysctl(8) and sysctl.conf(5).

These refer to several other sources, including ip(4), tcp(4), udp(4) and
rc.conf(5) - they also mention <sys/sysctl.h>, <sys/socket.h>,
<netinet/in.h>, <netinet/icmp_var.h> and <netinet/udp_var.h> if you want to
study the variables first-hand.

----- Original Message -----
From: "fbsd_user" <[EMAIL PROTECTED]>
Subject: network security sysctl mib's

> The sysctl.conf file contains MIB's to change the default setting of
> internal options of the kernel at boot up time.
> I have found these MIB's when I display all the sysctl's.
> These deal with how packets entering the FBSD system are handled by
> default.
> There are no man info on any MIB's.
> I an looking for an description of what these do and
> why I would want to turn them on.
> There must be some network security reason or problem
> that these address or they would not have been created
> in the first place.
> Are these MIB's only intended to be used on FBSD systems
> that do not have firewalls?
> When do these MIB's get control
> in the kernel, as they relate to IPFW or IPFILTER
> firewall seeing the packets?
> [IE: do they all process against the packet before the packet
> is handed off to the firewall or after the firewall has done
> it's thing and hands the packet back to the kernel?].
> Since these are network security MIB's why are they not documented
> someplace?
> They can have an large impact on the security of one's FBSD system,
> and should be made known to the general administrator of the FBSD
> system and the firewall administrator.
> I know I need an FBSD developer who makes code changes to the kernel
> to review the internal FBSD kernel code to answer these questions. I
> hope someone will help me in this.
> net.inet.icmp.drop_redirect=1
> net.inet.icmp.log_redirect=0
> net.inet.ip.redirect=0
> net.inet.ip.sourceroute=0
> net.inet.ip.accept_sourceroute=0
> net.inet.icmp.bmcastecho=0
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> net.inet.tcp.log_in_vain=1
> net.inet.udp.log_in_vain=1
> _______________________________________________
> [EMAIL PROTECTED] mailing list
> To unsubscribe, send any mail to

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to