Ted Unangst wrote:
On 5/9/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
I try to stay safe in my choices and comments are welcome, but I have to
point out as well that ALL the values below needs to be changes to that
new value to get working well. If even only one of them is not at the
level below, the results in the tests start to be affected pretty bad at
times.
net.bpf.bufsize=524288
net.inet.ip.redirect=0
never mind the rest, but these two really make no sense. none.
Make no sense in the test and improving results, or make no sense in
setting them as such here?
net.inet.ip.redirect=0
Is to disable ICMP routing redirects. Otherwise, your system could have
its routing table misadjusted by an attacker. Wouldn't be wise to do so?
May be if PF is turn on, then there is no reason for this, but with PF
ON, I get drop and need to address that. Didn't pursue it yet as dead
however.
As for the net.bpf.bufsize, I am looking again in my notes and tests,
it's use for Berkeley Packet Filter (BPF), to maintains an internal
kernel buffer for storing packets received off the wire.
Yes in that case it make sense not to have that here. I redid the tests
with the default value and yes you are right! This one is wrong here.
May be lack of sleep. (;> Thanks for correcting me!
I also have the revise my statement on the net.inet.ip.portfirst=32768
effect. In a series of new tests, it doesn't have the impact noted the
first test runs. So, I would keep it as default value as well now. May
be it was when PF was enable that I have more of an impact then. But my
notes are not clear on that specific one.
Anything else you see that may be questionable in what I sent? I am
doing more tests with different hardware to be sure it's all sane value
in the end.
Other wise many thanks for having taken the time to look it over and
give me your feedback on it!
I sure appreciate it big time!
Best
Daniel
