From owner-freebsd-hackers Thu Jan 16 10:52: 4 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 342E437B401 for ; Thu, 16 Jan 2003 10:52:03 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id D260E43F13 for ; Thu, 16 Jan 2003 10:52:02 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0GIq0Zb089339 for ; Thu, 16 Jan 2003 10:52:00 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Thu, 16 Jan 2003 10:52:00 -0800 (PST) From: Josh Brooks To: freebsd-hackers@freebsd.org Subject: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <20030116104652.T86991-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, If I have a large network with high profile hosts (50+ shell servers, 50 or more different ircds running) am I wasting my time trying to hack and tweak a FreeBSD host-based firewall running ipfw ? I am getting hammered by a different (D)DoS attack every single day - it's always something new. I am thinking of buying a netscreen, but on the other hand I really like FreeBSD, I really like a host-based firewall, and I hate to admit defeat. So do any of those efnet servers use a FreeBSD firewall ? Are there people out there that know what they are doing to such a degree that they can successfully use a host-based FreeBSD system to firewall high profile network targets ? Or is it generally accepted that if you have that kind of targets on your network that you just have to get an appliance - that is, even if the guy that wrote ipfw and knows the fbsd kernel inside and out still wouldn't even try to make that work ? OR, would a very expert FreeBSD developer and network code guy scoff at "wasting money" on a netscreen or PIX, knowing that if you really knew what you were doing you could do it all with a fbsd host-based firewall with ipfw ? Any comments appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message