Date: Tue, 16 Jul 2002 05:15:13 +0200 From: Barry Irwin <bvi@itouchlabs.com> To: zhang jack <jack_zhangcl@hotmail.com> Cc: security@FreeBSD.ORG Subject: Re: syncache testing Message-ID: <20020716051513.M4570@itouchlabs.com> In-Reply-To: <F212ebm4M2S0gUFDKPG00005e2f@hotmail.com>; from jack_zhangcl@hotmail.com on Tue, Jul 16, 2002 at 02:58:13AM %2B0000 References: <F212ebm4M2S0gUFDKPG00005e2f@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, I make use of ipfw and the separate NAT daemon, however. Given it some more thought and I'm not sure if this would work as expected ( would be very nice if it does, looking forward to the outcomes of your testing). The second method I suggested, will work as the packets are being processed by the local host, however you haev an additioanl software component and load on the gateway/firewall. The sould work for beefing up the security of your web servers if you then firewalled them from connecting to anywhere but there local subnet, as all the Internet faccing communications is via the reverse proxy. Barry On Tue 2002-07-16 (02:58), zhang jack wrote: > > Thanks for your reply. > I have used Ipfilter,did you mean using port redirecting? > rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 > can it pass though syncache? I know Ipfilter hook the packets > in the IP level. > > > > >From: Barry Irwin <bvi@itouchlabs.com> > >To: zhang jack <jack_zhangcl@hotmail.com> > >CC: security@FreeBSD.ORG > >Subject: Re: syncache testing > >Date: Tue, 16 Jul 2002 04:42:12 +0200 > > > >Hi > > > >I'm not overly familiar with the syncache code, but you _may_ be able to > >make use of the syncache mitigation by having your server sitting behind > the > >BSD box, with traffic being natted. A solution that may work better is to > >have a reverse proxy of sorts running on the BSD system which proxies > >requests to your webservers. > > > >Barry > > > > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > > > Hi, > > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > > but I found it *only* protect syn flooding of itself,can it act > > > as a gateway( or firewall ) to protect my www server? > > > can anyone help me? > > > >-- > >Barry Irwin bvi@itouchlabs.com +27214875177 > >Systems Administrator: Networks And Security > >iTouch TAS http://www.itouchlabs.com South Africa > > > > > _________________________________________________________________ > 享用世界上最大的电子邮件系统— MSN Hotmail。http://www.hotmail.com/cn > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020716051513.M4570>