Date: Sun, 10 Feb 2013 18:34:14 +0100 From: James Howlett <jim.howlett@outlook.com> To: "khatfield@socllc.net" <khatfield@socllc.net> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: RE: FreeBSD DDoS protection Message-ID: <SNT002-W95E85AB9EE61748F0E5244E50B0@phx.gbl> In-Reply-To: <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>, , <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>, <SNT002-W126C067EAA248C592EBB424E50B0@phx.gbl>, <935214494.7700.1360514165103@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin=2C > That's very helpful to know. So at this time are you doing NAT from the r= outer or simply passing all traffic and allowing the switch to sort it out? > There is no NAT on my router. The setup looks like that: ISP--switch--FreeBSD-router---switch---firewall (nat=2C etc) THe switch is basicly one device with some vlans. My outside conectivity is done by BGP=2C my internal routing is using OSPF = as an IGMP protocol. =20 > You can google sflow for FreeBSD. There is an export tool for netflow whi= ch I have used that exports as sflow via a bridge type conversion. > Works = incredibly well. Great=2C I'll look into that. Could You recomend some flow display/analysis= software?=20 =20 > ICMP can be blocked safely but it does need to be specific. For example y= ou can allow ping and disallow bogus ICMP. You can safely block=2C for exam= ple=2C UDP port 0 which is commonly attacked. > Ok. =20 > If you do not wish to make it public=2C it's fine. However=2C you can sen= d me your current pf rules and I can take a look and provide some recommend= ations. >=20 My firewall is basic and looks like that: http://pastebin.com/JJbLxHTS > Additionally=2C it would be good to know the switch you're using. I'm gue= ssing since it's sflow that it's Juniper. There are some very useful ACL's = that can be put in at the switch. I have both juniper ex2200 and cisco 2960s at hand.=20 >=20 > However=2C if the BSD box is either live locking or crashing then you nee= d to fix that first. >=20 The BSD box drops network conectivity - OSPF fails first which causes my ne= twork to go offline. The host itself is working - I can access in via iLOM. > I would state that enabling polling can be done from the command line if = it's already enabled in the kernel. >=20 > Enabling polling in itself without tweaking it could likely increase your= overall PPS limitations by 70%. So I recommend doing that immediately and = just placing it on your public facing NIC first. My ethernet cards use em driver. I can change it to igb cards in few weeks. Is it save to enable pooling on a production system? All best=2C jim =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SNT002-W95E85AB9EE61748F0E5244E50B0>