From owner-freebsd-security@FreeBSD.ORG Tue May 20 06:46:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F4C337B401 for ; Tue, 20 May 2003 06:46:53 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 1F80E43FCB for ; Tue, 20 May 2003 06:46:52 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 90869 invoked from network); 20 May 2003 13:46:51 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 20 May 2003 13:46:51 -0000 X-pair-Authenticated: 209.68.2.70 Date: Tue, 20 May 2003 08:45:34 -0500 (CDT) From: Mike Silbersack To: jeremie le-hen In-Reply-To: <20030520095759.GA26095@carpediem.epita.fr> Message-ID: <20030520084338.W56510@odysseus.silby.com> References: <20030520095759.GA26095@carpediem.epita.fr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 13:46:53 -0000 On Tue, 20 May 2003, jeremie le-hen wrote: > Note that in fact, this might be achieved on your firewall (FreeBSD also > supports syncookies), but this would imply TCP SYN to be received by the > firewall itself, which in turn would forward the TCP connection to the > appropriate server once the connection would be fully established. > (I think a simple TCP tunnel with a NAT redirection to localhost should > work.) > > Regards, > -- > Jeremie aka TtZ/TataZ > jeremie.le-hen@epita.fr You could certainly pull that off with an application level proxy, but the disadvantage would be that the server would no longer be able to determine the source IP of the machines connecting to it. It would be possible to add the syncache / syncookies to ipfw so that it could be used to protect hosts behind it, but I don't think anyone has tried an implementation of that yet. Mike "Silby" Silbersack