Date: Fri, 17 Jan 2003 01:54:41 +0300 (MSK) From: "."@babolo.ru To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: Sean Chittenden <sean@chittenden.org>, freebsd-hackers@FreeBSD.ORG, nate@yogotech.com Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <200301162254.h0GMsfLs001559@aaz.links.ru> In-Reply-To: <20030116124254.J9642-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Again, thank you very much for your advice and comments - they are very > well taken. > > I will clarify and say that the fbsd system I am using / talking about is > a _dedicated_ firewall. Only port 22 is open on it. Do not open this port outside > The problem is, I have a few hundred ipfw rules (there are over 200 > machines behind this firewall) and so when a DDoS attack comes, every > packet has to traverse those hundreds of rules - and so even though the > firewall is doing nothing other than filtering packets, the cpu gets all > used up. Try this simple ruleset: possible deny log tcp from any to any setup tcpoptions !mss ipfw add allow ip from any to any out ipfw add allow ip from any to your.c.net{x,y,z,so on...} ipfw add deny log ip from any to any where your.c.net{x,y,z,so on...} is your /24 net and list of hosts in this net. If you have more then one /24 net use one rule per each (see man ipfw). Does this cover your needs? (as I wrote accounting is different task) > I have definitely put rules at the very front of the ruleset to filter out > bad packets, and obvious attacks, but there is a new one devised literally > every day. I have 3000+ users with 1 or more IP each. typical reconfiguration rate of one router: 0sw~(3)#zcat /var/log/all.0.gz | grep 'config now' | wc -l 91 0sw~(4)#zcat /var/log/all.1.gz | grep 'config now' | wc -l 90 0sw~(5)#zcat /var/log/all.2.gz | grep 'config now' | wc -l 92 _per day_ and it is very easy ... with ISPMS/ISPDB based on PostgreSQL Do you interested? -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301162254.h0GMsfLs001559>