From owner-freebsd-hackers  Thu Jan 16 14:26:53 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AE71637B401
	for <freebsd-hackers@FreeBSD.ORG>; Thu, 16 Jan 2003 14:26:52 -0800 (PST)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4E22043F13
	for <freebsd-hackers@FreeBSD.ORG>; Thu, 16 Jan 2003 14:26:52 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.6/8.12.6) with ESMTP id h0GMQq0i024452;
	Thu, 16 Jan 2003 14:26:52 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.6/8.12.6/Submit) id h0GMQqMQ024451;
	Thu, 16 Jan 2003 14:26:52 -0800 (PST)
Date: Thu, 16 Jan 2003 14:26:52 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200301162226.h0GMQqMQ024451@apollo.backplane.com>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Cc: Nate Williams <nate@yogotech.com>, freebsd-hackers@FreeBSD.ORG
Subject: Re: FreeBSD firewall for high profile hosts - waste of time ?
References:  <20030116141047.A38599-100000@mail.econolodgetulsa.com>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


:My problem is that every time I add a new rule to the top, a new kind of
:attack is used, and gets through just fine - so I have 12K packets/s
:coming through all 300 rules of mine no matter what I put in :)
:
:thanks again for your help and comments.

    If attacks are a predominant problem for you, I recommend sticking a
    machine in between your internet connection and everything else whos
    ONLY purpose is to deal with attacks.  With an entire cpu dedicated
    to dealing with attacks you aren't likely to run out of CPU suds (at least
    not before your attackers fills your internet pipe).  This allows you
    to use more reasonable rulesets on your other machines.

    Also, having a machine in the middle gives you a platform which you
    can dedicate not only to attack surpression, but also attack analysis.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message