David Maxwell wrote:

>On Tue, 05 Oct 2004, Michael Cozzi wrote:
>  
>
>>   I have one problem though. I'm one of those folks who came to Unix 
>>from Linux and though I'm getting along pretty fine, I'm a bit lost on 
>>the capabilities for firewalling through the kernel.
>>    
>>
>
>Make sure your kernel config includes:
>
>pseudo-device   ipfilter                # IP filter (firewall) and NAT
>
>I see that it is commented out in the GENERIC kernel. It was commented
>out with the cvs message 'Shrink a little again to avoid firmware
>limits'. (I don't have a cobalt, so I'm not familliar with the firmware
>space issue)
>
>Create /etc/ipf.conf (from examples below) and set ipfilter=YES in
>/etc/rc.conf
>  
>

    David,

    Thank you for your detailed response. It was very helpful.

    Depending on the issue with the kernel, I may not be able to 
firewall in this manner because the boot ROM on a Raq2 has a kernel size 
limitation.

    My security policy when running Linux has been essentially to make 
all unused ports, and ICMP, unresponsive, with a port scan detector set 
to block scanning IPs semi-permanently by the time they would be able to 
get any useful information. It's not the only security related thing the 
boxes do, but it is helpful.

    It's clear I'm in a different world with this Raq2 and NetBSD. The 
layout is quite different than what I'm used to.

    Time to learn a new OS...

--
cozzi@cozziconsulting.com