[ previous ] [ next ] [ threads ]
 
 From:  Adrian Basescu <adrianeli at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  FreeBSD 4.11 RELEASE is now available
 Date:  Tue, 1 Feb 2005 16:21:39 -0500
Hello,
I have read the Release notes for this version and I see some features
which would be nice to have in m0n0wall.

I am quoting from the Network section.

" 2.2.3 Network Protocols
The random ephemeral port allocation, which come from OpenBSD has been
implemented. This is enabled by default and can be disabled using the
net.inet.ip.portrange.randomized sysctl. Note that the randomization
can lead to extremely fast port reuse at high connection rates, which
is causing problems for some users. To retain the security advantage
of random ports and ensure correct operation, it is disabled during
periods of high connection rates. More specifically, when the
connection rate exceeds the value of the
net.inet.ip.portrange.randomcps sysctl (10 by default), the
randomization will be disabled for seconds specified in the
net.inet.ip.portrange.randomtime sysctl (45 by default).

ipfw  now supports lookup tables. This feature is useful for handling
large sparse address sets.

ipnat  now allows redirect rules to work for non-TCP/UDP packets.

The RST handling of the FreeBSD TCP stack has been improved to make
reset attacks as difficult as possible while maintaining compatibility
with the widest range of TCP stacks. The algorithm is as follows. For
connections in the ESTABLISHED state, only resets with sequence
numbers exactly matching last_ack_sent will cause a reset, all other
segments will be silently dropped. For connections in all other
states, a reset anywhere in the window will cause the connection to be
reset. All other segments will be silently dropped. Note that this
breaks the RFC 793 specification and you can still disable this and
use the conventional behavior by setting a new sysctl
net.inet.tcp.insecure_rst to 1."

Regards,
Adrian