From owner-freebsd-security@FreeBSD.ORG  Tue May 20 01:15:05 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8037D37B401
	for <freebsd-security@freebsd.org>;
	Tue, 20 May 2003 01:15:05 -0700 (PDT)
Received: from hub.seasidesoftware.co.za (tpr-bras-129-173.telkom-ipnet.co.za
	[165.165.129.173])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AE3D843F75
	for <freebsd-security@freebsd.org>;
	Tue, 20 May 2003 01:15:03 -0700 (PDT)
	(envelope-from james@hub.seasidesoftware.co.za)
Received: from james by hub.seasidesoftware.co.za with local (Exim 4.14)
	id 19I1h0-000Pik-ML; Tue, 20 May 2003 09:37:50 +0200
Date: Tue, 20 May 2003 09:37:50 +0200
From: James Ainslie <james@starjuice.net>
To: Ryan James <ryan@mac2.net>
Message-ID: <20030520073750.GH55410@gambling.com>
Mail-Followup-To: Ryan James <ryan@mac2.net>,
	freebsd-security@freebsd.org
References: <BAEF3AC0.9998%ryan@mac2.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BAEF3AC0.9998%ryan@mac2.net>
User-Agent: Mutt/1.5.3i
Sender: James Ainslie <james@hub.seasidesoftware.co.za>
X-Mailman-Approved-At: Mon, 26 May 2003 13:40:42 -0700
cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD firewall block syn flood attack
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2003 08:15:05 -0000

On (2003/05/20 01:52), Ryan James wrote:n
> Hello,
> 
> I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
> the internet. The servers are being attacked with syn floods and go down
> multiple times a day.
> 
> The 7 servers belong to a client, who runs redhat.
> 
> I am trying to find a way to do some kind of syn flood protection inside the
> firewall. 

You could use snort quite effectively here. You can set up snort to act
as an active packet filter, in conjunction with a firewall.

Then obtain a few signature packets and craft a snort rule to activate
the dropping of these packets. The problem with using an IDS in line
with a firewall is that you run the horrible risk of false positives.

Proceed with extreme caution. :)

Hope that helps.

James.


-- 
James Ainslie 
Systems Administrator

"Power corrupts, and absolute power corrupts absolutely"
						Lord Acton
	So who says FreeBSD isnt a corrupt OS?