From owner-freebsd-hackers Thu Jan 16 16: 5:25 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 701A937B435 for ; Thu, 16 Jan 2003 16:05:23 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70EC943F3F for ; Thu, 16 Jan 2003 16:05:22 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id h0H075iI003594; Fri, 17 Jan 2003 03:07:05 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id h0H075lh003593; Fri, 17 Jan 2003 03:07:05 +0300 (MSK) Message-Id: <200301170007.h0H075lh003593@aaz.links.ru> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <15911.17533.490764.478803@emerger.yogotech.com> To: Nate Williams Date: Fri, 17 Jan 2003 03:07:05 +0300 (MSK) From: "."@babolo.ru Cc: freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > > Try this simple ruleset: > > > > > > > > possible deny log tcp from any to any setup tcpoptions !mss > > > > > > > > ipfw add allow ip from any to any out > > > > ipfw add allow ip from any to your.c.net{x,y,z,so on...} > > > > ipfw add deny log ip from any to any > > > > > > I'd limit these to the outside interface, for performance rules. > > > > > > # Whatever the interface is... > > > outif="fxp0" > > > ipfw add allow ip from any to any out via ${outif} > > > ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif} > > > ipfw add deny log ip from any to any via ${outif} > > > > > > etc... > > > > Your above ruleset seems to be correct ... if add > > some rule for outcoming traffic. > > I was too fast and keep in mind only incoming traffic. > > > > Effectivity depends on number of interfaces. > > If I remember right, one external and one internal. > > If such, the ruleset without interfaces defined > > for allow rules is not worse then without interfaces IMHO. > > Not true. The packets still pass through 'both' interfaces, and as such > the number of rules it must traverse is doubled (once for the internal, > one for the external). Halving the # of ipfw rules is an easy way to > decrease the load on a CPU. :) > > For most people, it makes little difference, but the user in question > has a firewall that's overloaded, so 2x decrease in the # of rules might > make the difference, since the 'load' is caused by packets that > shouldn't be getting through.. The point is that DDOS goes against existing IP addresses in internal net and will be passed through, so then faster ruleset passes DOS packet then better ... for firewall :-) -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message