From owner-freebsd-questions  Sat Feb  8 11:09:05 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id LAA24668
          for questions-outgoing; Sat, 8 Feb 1997 11:09:05 -0800 (PST)
Received: from smtp.connectnet.com (smtp.connectnet.com [207.110.0.12])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA24648;
          Sat, 8 Feb 1997 11:09:00 -0800 (PST)
Received: from wink.connectnet.com (Studded@wink.connectnet.com [206.251.156.23]) by smtp.connectnet.com (8.8.5/Connectnet-2.2) with SMTP id LAA11891; Sat, 8 Feb 1997 11:09:50 -0800 (PST)
Message-Id: <199702081909.LAA11891@smtp.connectnet.com>
From: "That Doug Guy" <tiller@connectnet.com>
To: "FreeBSD Questions" <FreeBSD-Questions@freebsd.org>
Cc: "FreeBSD-ISP@freebsd.org" <FreeBSD-ISP@freebsd.org>
Date: Sat, 08 Feb 97 11:08:55 -0800
Reply-To: "That Doug Guy" <tiller@connectnet.com>
Priority: Normal
X-Mailer: That Doug Guy's Registered PMMail 1.53 For OS/2
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Packet filtering help please
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Howdy,  :-)

	I (still, *cough*) need information on packet filtering.  I looked at 
LINT, and found this about bpf:

#  The `bpfilter' pseudo-device enables the Berkeley Packet Filter.  Be
#  aware of the legal and administrative consequences of enabling this
#  option.  The number of devices determines the maximum number of
#  simultaneous BPF clients programs runnable.

	The man page for bpf was helpful, but went over my head sooner 
than I would have liked. :)  Where can I find more information (starting at a 
less ethereal level :) regarding what bpf is good for, and exactly what the 
dangers are?  

	The last time I asked, the best info I got was that for my purposes 
(occasional filtering of nuisance hosts) enabling the firewall option in the 
kernel, and using ipfw would be my best bet.  This issue has become 
somewhat more urgent as our system is being attacked by a pesky (and 
persistent) 15 year old.  I never did receive an answer on how much 
overhead (cpu is the biggest consideration) this will add to my system.  Also, 
where can I find more info on how to construct rules?  (Beyond the man 
pages.)  I will be doing this all remotely, so getting it right the first time is 
essential.  

	I've heard that the O'Reilly book on TCP/IP Administration is really 
good.....is this kind of information included in it?  I have 2 of their books 
already, and really like them.  Please note that I'm willing to do the digging 
to get the info myself, but I've run out of places to look.

Thanks in advance for any help you can offer,

Doug