From owner-freebsd-hackers Thu Jan 16 15:50:10 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D18337B401 for ; Thu, 16 Jan 2003 15:50:09 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E38043F13 for ; Thu, 16 Jan 2003 15:50:08 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id h0GNpniI002686; Fri, 17 Jan 2003 02:51:50 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id h0GNpnPC002685; Fri, 17 Jan 2003 02:51:49 +0300 (MSK) Message-Id: <200301162351.h0GNpnPC002685@aaz.links.ru> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <3E274081.F2D2F873@mindspring.com> To: Terry Lambert Date: Fri, 17 Jan 2003 02:51:49 +0300 (MSK) From: "."@babolo.ru Cc: Nate Williams , Josh Brooks , Sean Chittenden , freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Nate Williams wrote: > > Except that it's acting as a router, and as such there is no 'setup' > > except for the one he is using to configure/monitor the firewall via > > SSH. > > > > In essence, a no-op in a dedicated firewall setup. > > He doesn't want just a dedicated firewall, since it won't save > him from an attack like the ones he's getting. > > The only reasonable way to shed load is at L4/L7 interaction; > if all he's doing is L3, then his firewall will likely not > save him. > > According to most of the stuff he posted, though, he's running > L4 rules in his firewall (peeking into TCP packets). > > A Netscreen is a stateful firewall, which will (in effect) be > providing applicaiton layer proxies for the connections... this > is also the way a load balancer acts, in order to shed load by > limiting simultaneous connections (L4/L7). > > > In any case, he's got something else strange going on, because > his load under attack, according to his numbers, never gets above > the load you'd expect on 10Mbit old-style ethernet, so he's got > something screwed up; probably, he has a loop in his rules, and > a packet gets trapped and reprocessed over and over again (a > friend of mine had this problem back in early December). If I remember correctly he has less then 10Mbit uplink and a lot of count rules for client accounting. It is reason I recommend him to use userland accounting. And as far as I understand a lot of count rules is the reason for trouble. I saw something similar a lot ago at the begin of my career :-) -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message