|
||||||||
Hello, I have read the Release notes for this version and I see some features which would be nice to have in m0n0wall. I am quoting from the Network section. " 2.2.3 Network Protocols The random ephemeral port allocation, which come from OpenBSD has been implemented. This is enabled by default and can be disabled using the net.inet.ip.portrange.randomized sysctl. Note that the randomization can lead to extremely fast port reuse at high connection rates, which is causing problems for some users. To retain the security advantage of random ports and ensure correct operation, it is disabled during periods of high connection rates. More specifically, when the connection rate exceeds the value of the net.inet.ip.portrange.randomcps sysctl (10 by default), the randomization will be disabled for seconds specified in the net.inet.ip.portrange.randomtime sysctl (45 by default). ipfw now supports lookup tables. This feature is useful for handling large sparse address sets. ipnat now allows redirect rules to work for non-TCP/UDP packets. The RST handling of the FreeBSD TCP stack has been improved to make reset attacks as difficult as possible while maintaining compatibility with the widest range of TCP stacks. The algorithm is as follows. For connections in the ESTABLISHED state, only resets with sequence numbers exactly matching last_ack_sent will cause a reset, all other segments will be silently dropped. For connections in all other states, a reset anywhere in the window will cause the connection to be reset. All other segments will be silently dropped. Note that this breaks the RFC 793 specification and you can still disable this and use the conventional behavior by setting a new sysctl net.inet.tcp.insecure_rst to 1." Regards, Adrian |