From owner-freebsd-security Tue Jul 16 7:28: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8DB637B400 for ; Tue, 16 Jul 2002 07:27:58 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D4E743E4A for ; Tue, 16 Jul 2002 07:27:58 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "zhang jack" , Cc: References: Subject: Re: syncache testing MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020716142852.0475E43B39A@mail.npubs.com> Date: Tue, 16 Jul 2002 14:28:52 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It would seem that the syncache firewall would actually have to handle the TCP request. In otherwords you'd need a full fledged proxy which then forwards the request to your real www servers. Cheers Nate From: "zhang jack" > I have tested Ipfilter + syncache, it seems doesn't work. > > client 192.168.1.1 > | > __|_______ fxp0:192.168.1.2 > > Gateway > > __________ fxp1:10.0.0.1 > | > | > www server 10.0.0.2 > > I make the rdr rule as: > "rdr fxp0 192.168.1.2/32 port 80 -> 10.0.0.2 port 80" > then I make syn flood to 192.168.1.2(on 192.168.1.1), > the syncache seems no work: > "net.inet.tcp.syncache.count: 0" > > Maybe I must use IPFW+Natd? > > > Jack Zhang > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message