From owner-freebsd-questions@FreeBSD.ORG  Fri Jan 27 01:42:58 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 204D316A431
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Jan 2006 01:42:58 +0000 (GMT) (envelope-from on@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3A8BE43DA9
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Jan 2006 01:42:46 +0000 (GMT) (envelope-from on@cs.ait.ac.th)
Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5])
	by mail.cs.ait.ac.th (8.12.11/8.12.11) with ESMTP id k0R1fl0s086186
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 27 Jan 2006 08:41:47 +0700 (ICT)
Received: (from on@localhost)
	by banyan.cs.ait.ac.th (8.13.1/8.12.11) id k0R1gV6G049755;
	Fri, 27 Jan 2006 08:42:31 +0700 (ICT)
Date: Fri, 27 Jan 2006 08:42:31 +0700 (ICT)
Message-Id: <200601270142.k0R1gV6G049755@banyan.cs.ait.ac.th>
From: Olivier Nicole <on@cs.ait.ac.th>
To: ikaney@crisiant.com
In-reply-to: <20060126115051.8840D43D45@mx1.FreeBSD.org> (ikaney@crisiant.com)
References: <20060126115051.8840D43D45@mx1.FreeBSD.org>
X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/)
Cc: freebsd-questions@freebsd.org
Subject: Re: Bridging Firewall Machine Questions
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2006 01:42:58 -0000

> I've also had problems with the bridge running out of dynamic rules. I've
> raised them to silly figures however I'm always wary that if a machine had a
> Trojan or some other form of malware that attempted a DoS attack, the bridge
> would probably fall over after exhausting its dynamic rule count and cause

I beleive other firewall solution (iptable or ipchain whatever is the
newest) have rate limiting for specific kind of traffic, so this
should prevent DoS, but as far as I remember ipfw has no such feature.

Olivier