From owner-freebsd-isp@FreeBSD.ORG Sun Feb 10 17:34:21 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F312BC4E; Sun, 10 Feb 2013 17:34:20 +0000 (UTC) (envelope-from jim.howlett@outlook.com) Received: from snt0-omc3-s5.snt0.hotmail.com (snt0-omc3-s5.snt0.hotmail.com [65.55.90.144]) by mx1.freebsd.org (Postfix) with ESMTP id CB383968; Sun, 10 Feb 2013 17:34:20 +0000 (UTC) Received: from SNT002-W95 ([65.55.90.136]) by snt0-omc3-s5.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 10 Feb 2013 09:34:14 -0800 X-EIP: [kI5/AvGahi7Y5Ds7IuxNarUg26iO2FOJ] X-Originating-Email: [jim.howlett@outlook.com] Message-ID: From: James Howlett To: "khatfield@socllc.net" Subject: RE: FreeBSD DDoS protection Date: Sun, 10 Feb 2013 18:34:14 +0100 Importance: Normal In-Reply-To: <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> References: , , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, , <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Feb 2013 17:34:14.0818 (UTC) FILETIME=[D8814020:01CE07B4] Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" , "freebsd-security@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 17:34:21 -0000 Kevin=2C > That's very helpful to know. So at this time are you doing NAT from the r= outer or simply passing all traffic and allowing the switch to sort it out? > There is no NAT on my router. The setup looks like that: ISP--switch--FreeBSD-router---switch---firewall (nat=2C etc) THe switch is basicly one device with some vlans. My outside conectivity is done by BGP=2C my internal routing is using OSPF = as an IGMP protocol. =20 > You can google sflow for FreeBSD. There is an export tool for netflow whi= ch I have used that exports as sflow via a bridge type conversion. > Works = incredibly well. Great=2C I'll look into that. Could You recomend some flow display/analysis= software?=20 =20 > ICMP can be blocked safely but it does need to be specific. For example y= ou can allow ping and disallow bogus ICMP. You can safely block=2C for exam= ple=2C UDP port 0 which is commonly attacked. > Ok. =20 > If you do not wish to make it public=2C it's fine. However=2C you can sen= d me your current pf rules and I can take a look and provide some recommend= ations. >=20 My firewall is basic and looks like that: http://pastebin.com/JJbLxHTS > Additionally=2C it would be good to know the switch you're using. I'm gue= ssing since it's sflow that it's Juniper. There are some very useful ACL's = that can be put in at the switch. I have both juniper ex2200 and cisco 2960s at hand.=20 >=20 > However=2C if the BSD box is either live locking or crashing then you nee= d to fix that first. >=20 The BSD box drops network conectivity - OSPF fails first which causes my ne= twork to go offline. The host itself is working - I can access in via iLOM. > I would state that enabling polling can be done from the command line if = it's already enabled in the kernel. >=20 > Enabling polling in itself without tweaking it could likely increase your= overall PPS limitations by 70%. So I recommend doing that immediately and = just placing it on your public facing NIC first. My ethernet cards use em driver. I can change it to igb cards in few weeks. Is it save to enable pooling on a production system? All best=2C jim =