From owner-freebsd-hackers Thu Jan 16 16: 3:48 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DDB037B401 for ; Thu, 16 Jan 2003 16:03:47 -0800 (PST) Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3591243EB2 for ; Thu, 16 Jan 2003 16:03:46 -0800 (PST) (envelope-from nate@yogotech.com) Received: from emerger.yogotech.com (emerger.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id RAA01334; Thu, 16 Jan 2003 17:03:34 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by emerger.yogotech.com (8.12.6/8.12.6) id h0H03Xk0070162; Thu, 16 Jan 2003 17:03:33 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15911.18517.729130.126874@emerger.yogotech.com> Date: Thu, 16 Jan 2003 17:03:33 -0700 To: Josh Brooks Cc: "."@babolo.ru, Terry Lambert , Nate Williams , Sean Chittenden , Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <20030116155122.X38599-100000@mail.econolodgetulsa.com> References: <200301162351.h0GNpnPC002685@aaz.links.ru> <20030116155122.X38599-100000@mail.econolodgetulsa.com> X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > If I remember correctly he has less then 10Mbit > > uplink and a lot of count rules for client accounting. > > It is reason I recommend him to use userland accounting. > > And as far as I understand a lot of count rules is > > the reason for trouble. > > I removed all the count rules a week or so ago. Now I just have 2-300 > rules in the form: > [ Snip ] Seriously, if you want more help, you're going to have to give more details than 'of the form'. Send a couple of us (not the entire list) your rules to look at, and maybe something will jump out. At this point, we can only guess, and spin our wheels trying to help you out. > allow tcp from $IP to any established > allow tcp from any to $IP established > allow tcp from any to $IP 22,25,80,443 setup > deny ip from any to $IP Seems like overkill to me, when you can do something simpler with a single rule, although depending on that rule is risky with ipfw, since it *can* be spoofed (as you are well aware). ;( > and I have that same set in there about 50-70 times - one for each > customer IP address hat has requested it. That's it :) Yikes. Can't you simply allow in *all* the packets for an entire netblock, and let them bounce around in the network for any 'non-listening' host? > So each packet I get goes through about 5 rules at the front to check for > bogus packets, then about 70 sets of the above until it either matches one > of those, or goes out the end with the default allow rule. If you've got a default allow rule, what's the point of the above rules? Again, specific details (ie; your rules list) would certainly go a long way. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message