> George Michaelson <G.Michaelson@cc.uq.oz.au>  wrote:
>  > Anybody have any idea what NetBSD maybe should do by default? Seems to
>  > me that disabling forwarding doesn't neccessarily imply no packet transit
>  > through the kernel, and that a distinct option in the kernel config might
>  > be wanted to make a box into a firewall.
> 
> I also disable forwarding on our firewall box and I've thought about
> how to make this easily configurable without being too easily configurable.

In my view if GATEWAY is on, source routed packets should be passed, if
not, they shouldn't.  If you've turned off packet forwarding/routing
your clearly (to me) don't want packets of any kind passing through the
machine (at least not without some application sending on the data).
None of the legitimate uses of source routing have any need to pass through
a box that has GATEWAY off.

> There were two suggestions.  One was a sysctl which I'm not fond of in
> that situation because should someone gain root on the firewall (well,
> in that case you're screwed anyhow but) then they can easily enable
> forwarding without attracting too much attention.

Well, you could say that it only works to change it when it's at
security level 0, so you can boot a box as a firewall or not with a
common kernel.

> I also wanted to put in some logging whereby if someone did send a source
> routed packet and forwarding was disabled, then it would log as much about
> the packet as it knew... 

>From a security point of view, it would be good to have kernel level
packet filtering code.  Better would be if this code could log attempts
to connect to ports that aren't there (for instance, you may not run X
or NFS, but would like to know if someone was systematically probing
your high number TCP (or UDP) ports).
--
Mark Gooderum
mark@good.com