Date: Thu, 9 Sep 2010 23:56:29 +0300 From: Vlad Galu <dudu@dudu.ro> To: "Marat N.Afanasyev" <amarat@ksu.ru> Cc: Gareth de Vaux <bsd@lordcow.org>, stable@freebsd.org Subject: Re: ipfw: Too many dynamic rules Message-ID: <AANLkTi=oaANzhEkDSnaQgaXz%2BTOO8aQPOkaQ9GAP9v0O@mail.gmail.com> In-Reply-To: <4C89215E.7010203@ksu.ru> References: <20100909153902.GA28341@lordcow.org> <4C89215E.7010203@ksu.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
2010/9/9 Marat N.Afanasyev <amarat@ksu.ru>: > I wonder, are these dynamic rules really necessary? let's see, a client > connects to your web-server and you immediately should create a new dynamic > rule, therefore you participate in this DoS attack as well as attacker. ;) With a stateless firewall, you help the attacker even more. Because he's able to connect to your httpd/whatever daemon is listening directly and he can easily fill up the descriptor table of that process. Limiting the number of states/connections from the same host prevents that. Sure, those states eat up RAM, but so do the established connections. Having a slightly more aggressive state expiry policy always helps. Sure, there are accf_http(9), accf_data(9) and various forking workarounds, but they don't work unless your TCP server is specifically designed to use them. PF also allows you to tarpit malicious hosts based on how often they try to reconnect - you can dynamically add them to a table which you can refer to from ALTQ. -- Good, fast & cheap. Pick any two.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=oaANzhEkDSnaQgaXz%2BTOO8aQPOkaQ9GAP9v0O>