Subject: Re: security for netbsd as web server
To: Felix Deichmann <>
From: Steven M. Bellovin <>
List: netbsd-users
Date: 03/25/2005 17:39:52
In message <>, Felix Deichmann writes:
>Amadeus Stevenson wrote:
>> -ipfilter block all default, allow in www with keep state
>If you expect many connections and "keep state", be sure that the state 
>table is big enough then. See IPSTATE_SIZE and IPSTATE_MAX in ip_state.h.

For this sort of application, you don't need 'keep state'.  Virtually 
nothing should be running on the machine; you can block those ports 
explicitly (if there is indeed anything to block).  Outbound calls (if 
any) should just work.  Don't worry about scans; armor the machine and 
let the probes bounce off.

The real risk here isn't that they know you aren't running something; 
the risk is from the things you are running and can't shut down, like 
>> Is there anything else you could do? Password rotation? What would you
>> do if you had to run, say, a security-critical (eg. a bank or paypal)
>> system?
>If you are really paranoid:
># sysctl -w net.inet.ip.random_id=1
Against what threat?

		--Prof. Steven M. Bellovin,