From owner-freebsd-security Mon Jul 15 20: 6:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EB1E37B400 for ; Mon, 15 Jul 2002 20:06:38 -0700 (PDT) Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0A6C43E6D for ; Mon, 15 Jul 2002 20:06:36 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 17UIet-0000WT-00 for security@freebsd.org; Tue, 16 Jul 2002 05:05:51 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 17UIes-0000WF-00; Tue, 16 Jul 2002 05:05:50 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 17UInx-0003VX-00; Tue, 16 Jul 2002 05:15:13 +0200 Date: Tue, 16 Jul 2002 05:15:13 +0200 From: Barry Irwin To: zhang jack Cc: security@FreeBSD.ORG Subject: Re: syncache testing Message-ID: <20020716051513.M4570@itouchlabs.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from jack_zhangcl@hotmail.com on Tue, Jul 16, 2002 at 02:58:13AM +0000 X-Checked: Scanned for any viruses and unauthorized attachments at mx1.dev.itouchnet.net X-iScan-ID: 2009-1026788750-28510@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I make use of ipfw and the separate NAT daemon, however. Given it some more thought and I'm not sure if this would work as expected ( would be very nice if it does, looking forward to the outcomes of your testing). The second method I suggested, will work as the packets are being processed by the local host, however you haev an additioanl software component and load on the gateway/firewall. The sould work for beefing up the security of your web servers if you then firewalled them from connecting to anywhere but there local subnet, as all the Internet faccing communications is via the reverse proxy. Barry On Tue 2002-07-16 (02:58), zhang jack wrote: > > Thanks for your reply. > I have used Ipfilter,did you mean using port redirecting? > rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 > can it pass though syncache? I know Ipfilter hook the packets > in the IP level. > > > > >From: Barry Irwin > >To: zhang jack > >CC: security@FreeBSD.ORG > >Subject: Re: syncache testing > >Date: Tue, 16 Jul 2002 04:42:12 +0200 > > > >Hi > > > >I'm not overly familiar with the syncache code, but you _may_ be able to > >make use of the syncache mitigation by having your server sitting behind > the > >BSD box, with traffic being natted. A solution that may work better is to > >have a reverse proxy of sorts running on the BSD system which proxies > >requests to your webservers. > > > >Barry > > > > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > > > Hi, > > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > > but I found it *only* protect syn flooding of itself,can it act > > > as a gateway( or firewall ) to protect my www server? > > > can anyone help me? > > > >-- > >Barry Irwin bvi@itouchlabs.com +27214875177 > >Systems Administrator: Networks And Security > >iTouch TAS http://www.itouchlabs.com South Africa > > > > > _________________________________________________________________ > 享用世界上最大的电子邮件系统— MSN Hotmail。http://www.hotmail.com/cn > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message