From owner-freebsd-questions Sat Feb 8 14:10:56 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA03331 for questions-outgoing; Sat, 8 Feb 1997 14:10:56 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA03309; Sat, 8 Feb 1997 14:10:30 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id OAA09670; Sat, 8 Feb 1997 14:09:59 -0800 (PST) Received: from alpo.whistle.com(207.76.205.1) by whistle.com via smap (V1.3) id sma009666; Sat Feb 8 14:09:49 1997 Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.8.5/8.8.4) with SMTP id OAA22065; Sat, 8 Feb 1997 14:07:57 -0800 (PST) Message-ID: <32FCF895.59E2B600@whistle.com> Date: Sat, 08 Feb 1997 14:05:09 -0800 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: That Doug Guy CC: FreeBSD Questions , "FreeBSD-ISP@freebsd.org" Subject: Re: Packet filtering help please References: <199702081909.LAA11891@smtp.connectnet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk That Doug Guy wrote: > > Howdy, :-) > > I (still, *cough*) need information on packet filtering. I looked at > LINT, and found this about bpf: > > # The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be > # aware of the legal and administrative consequences of enabling this > # option. The number of devices determines the maximum number of > # simultaneous BPF clients programs runnable. bpf is not what you want to do... what you want is ipfw. bpf is a debugging interface that allows packets to selectively be transfered to a debugging process. ipfw allows you to put filtering rules on interfaces for firewalling purposes.. > The last time I asked, the best info I got was that for my purposes > (occasional filtering of nuisance hosts) enabling the firewall option in the > kernel, and using ipfw would be my best bet. This issue has become > somewhat more urgent as our system is being attacked by a pesky (and > persistent) 15 year old. I never did receive an answer on how much > overhead (cpu is the biggest consideration) some but not too much > this will add to my system. Also, > where can I find more info on how to construct rules? > (Beyond the man pages.) > I will be doing this all remotely, so getting it right the first time is > essential. add the following code to the rc file ipfw add 10000 allow ip from all to all ipfw add 1000 deny ip from {his address} that should about do it.. remember that the default rule is: ipfw add 65536 deny ip from any to any so you need to add the allow rule above via /etc/rc because you won't be able to get to the box to do it by hand :) > > I've heard that the O'Reilly book on TCP/IP Administration is really > good.....is this kind of information included in it? I have 2 of their books > already, and really like them. Please note that I'm willing to do the digging > to get the info myself, but I've run out of places to look. > > Thanks in advance for any help you can offer, > > Doug