From owner-freebsd-hackers Thu Jan 16 12:46:15 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4950737B401 for ; Thu, 16 Jan 2003 12:46:14 -0800 (PST) Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBD4E43EB2 for ; Thu, 16 Jan 2003 12:46:13 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Received: from mail (user@mail [198.78.66.163]) by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0GKk9Zb035436; Thu, 16 Jan 2003 12:46:09 -0800 (PST) (envelope-from user@mail.econolodgetulsa.com) Date: Thu, 16 Jan 2003 12:46:08 -0800 (PST) From: Josh Brooks To: Sean Chittenden Cc: freebsd-hackers@freebsd.org, Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <20030116203739.GA34165@perrin.int.nxad.com> Message-ID: <20030116124254.J9642-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Again, thank you very much for your advice and comments - they are very well taken. I will clarify and say that the fbsd system I am using / talking about is a _dedicated_ firewall. Only port 22 is open on it. The problem is, I have a few hundred ipfw rules (there are over 200 machines behind this firewall) and so when a DDoS attack comes, every packet has to traverse those hundreds of rules - and so even though the firewall is doing nothing other than filtering packets, the cpu gets all used up. I have definitely put rules at the very front of the ruleset to filter out bad packets, and obvious attacks, but there is a new one devised literally every day. ------ So, you say that a poorly configured netscreen is no better than a poorly configured freebsd+ipfw ... but what about the best possibly configured netscreen vs. the best possibly configured freebsd+ipfw ? thanks. On Thu, 16 Jan 2003, Sean Chittenden wrote: > > If I have a large network with high profile hosts (50+ shell servers, 50 > > or more different ircds running) am I wasting my time trying to hack and > > tweak a FreeBSD host-based firewall running ipfw ? > > The suggestion later on to use a FreeBSD appliance is likely the best > advice you've gotten. The only thing I'd suggest is to use ipfw in > bridging mode that way your firewall is non-existant as far as the > rest of the world is concerned. Don't do anything stateful and just > filter out crap (where your definition of crap is left up to you). > I've used PIX's before and have even gone so far as to work for Cisco > for a while, so while I'm not allowed to say anything negative about > the product (and won't ::wink::), I will suggest that you stick with > FreeBSD as your firewall. -sc > > -- > Sean Chittenden > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message