Re: Migration from IPTABLES to PF

[Kevin Wilcox]

2009/5/4 Ricardo Augusto de Souza <ricardo.so...@cmtsp.com.br>:

>
#___________________________________________________________________________
> # Protecao do KERNEL
>
#___________________________________________________________________________
> #Enable forwarding in kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward

man sysctl

> #Block source routing
> echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route

man sysctl

> #Enable SYN Cookies
> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies

man sysctl

> #Kill redirects
> echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

man sysctl

> #Reduce DoS'ing ability by reducing timeouts
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack

man sysctl

Your problem isn't necessarily your understanding of pf, it's of *nix
in general.

Don't feel bad, a lot of Linux admins grow too reliant on using /proc
directly instead of using the more appropriate method of setting
values, sysctl.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'