Ted Unangst wrote:

quoted text
> On 5/9/07, Daniel Ouellet  wrote:

>> I try to stay safe in my choices and comments are welcome, but I have to

>> point out as well that ALL the values below needs to be changes to that

>> new value to get working well. If even only one of them is not at the

>> level below, the results in the tests start to be affected pretty bad at

>> times.

>> net.bpf.bufsize=524288

>> net.inet.ip.redirect=0

>

> never mind the rest, but these two really make no sense.  none.

Make no sense in the test and improving results, or make no sense in

setting them as such here?
net.inet.ip.redirect=0
Is to disable ICMP routing redirects. Otherwise, your system could have

its routing table misadjusted by an attacker. Wouldn't be wise to do so?

May be if PF is turn on, then there is no reason for this, but with PF

ON, I get drop and need to address that. Didn't pursue it yet as dead

however.
As for the net.bpf.bufsize, I am looking again in my notes and tests,

it's use for Berkeley Packet Filter (BPF), to maintains an internal

kernel buffer for storing packets received off the wire.
Yes in that case it make sense not to have that here. I redid the tests

with the default value and yes you are right! This one is wrong here.

May be lack of sleep. (;> Thanks for correcting me!
I also have the revise my statement on the net.inet.ip.portfirst=32768

effect. In a series of new tests, it doesn't have the impact noted the

first test runs. So, I would keep it as default value as well now. May

be it was when PF was enable that I have more of an impact then. But my

notes are not clear on that specific one.
Anything else you see that may be questionable in what I sent? I am

doing more tests with different hardware to be sure it's all sane value

in the end.
Other wise many thanks for having taken the time to look it over and

give me your feedback on it!
I sure appreciate it big time!
Best
Daniel