From owner-freebsd-hackers Thu Jan 16 14:53: 7 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BEC437B401 for ; Thu, 16 Jan 2003 14:53:05 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FB3443EB2 for ; Thu, 16 Jan 2003 14:53:04 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id h0GMsfiI001560; Fri, 17 Jan 2003 01:54:41 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id h0GMsfLs001559; Fri, 17 Jan 2003 01:54:41 +0300 (MSK) Message-Id: <200301162254.h0GMsfLs001559@aaz.links.ru> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030116124254.J9642-100000@mail.econolodgetulsa.com> To: Josh Brooks Date: Fri, 17 Jan 2003 01:54:41 +0300 (MSK) From: "."@babolo.ru Cc: Sean Chittenden , freebsd-hackers@FreeBSD.ORG, nate@yogotech.com X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Again, thank you very much for your advice and comments - they are very > well taken. > > I will clarify and say that the fbsd system I am using / talking about is > a _dedicated_ firewall. Only port 22 is open on it. Do not open this port outside > The problem is, I have a few hundred ipfw rules (there are over 200 > machines behind this firewall) and so when a DDoS attack comes, every > packet has to traverse those hundreds of rules - and so even though the > firewall is doing nothing other than filtering packets, the cpu gets all > used up. Try this simple ruleset: possible deny log tcp from any to any setup tcpoptions !mss ipfw add allow ip from any to any out ipfw add allow ip from any to your.c.net{x,y,z,so on...} ipfw add deny log ip from any to any where your.c.net{x,y,z,so on...} is your /24 net and list of hosts in this net. If you have more then one /24 net use one rule per each (see man ipfw). Does this cover your needs? (as I wrote accounting is different task) > I have definitely put rules at the very front of the ruleset to filter out > bad packets, and obvious attacks, but there is a new one devised literally > every day. I have 3000+ users with 1 or more IP each. typical reconfiguration rate of one router: 0sw~(3)#zcat /var/log/all.0.gz | grep 'config now' | wc -l 91 0sw~(4)#zcat /var/log/all.1.gz | grep 'config now' | wc -l 90 0sw~(5)#zcat /var/log/all.2.gz | grep 'config now' | wc -l 92 _per day_ and it is very easy ... with ISPMS/ISPDB based on PostgreSQL Do you interested? -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message