Subject: Re: security for netbsd as web server
To: Amadeus Stevenson <amadeus.stevenson@gmail.com>
From: Felix Deichmann <f.dei@web.de>
List: netbsd-users
Date: 03/25/2005 23:32:14
Amadeus Stevenson wrote:
> -ipfilter block all default, allow in www with keep state

If you expect many connections and "keep state", be sure that the state 
table is big enough then. See IPSTATE_SIZE and IPSTATE_MAX in ip_state.h.

> Is there anything else you could do? Password rotation? What would you
> do if you had to run, say, a security-critical (eg. a bank or paypal)
> system?

If you are really paranoid:
# sysctl -w net.inet.ip.random_id=1

But increases CPU overhead, of course.


Regards

Felix