From owner-freebsd-security Mon Jul 15 20:44:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5757237B400 for ; Mon, 15 Jul 2002 20:44:32 -0700 (PDT) Received: from hotmail.com (f82.law15.hotmail.com [64.4.23.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15A3443E58 for ; Mon, 15 Jul 2002 20:44:32 -0700 (PDT) (envelope-from jack_zhangcl@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jul 2002 20:44:26 -0700 Received: from 202.94.4.250 by lw15fd.law15.hotmail.msn.com with HTTP; Tue, 16 Jul 2002 03:44:26 GMT X-Originating-IP: [202.94.4.250] From: "zhang jack" To: bvi@itouchlabs.com Cc: security@FreeBSD.ORG Subject: Re: syncache testing Date: Tue, 16 Jul 2002 03:44:26 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=gb2312; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2002 03:44:26.0956 (UTC) FILETIME=[1549E8C0:01C22C7B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have tested Ipfilter + syncache, it seems doesn't work. client 192.168.1.1 | __|_______ fxp0:192.168.1.2 Gateway __________ fxp1:10.0.0.1 | | www server 10.0.0.2 I make the rdr rule as: "rdr fxp0 192.168.1.2/32 port 80 -> 10.0.0.2 port 80" then I make syn flood to 192.168.1.2(on 192.168.1.1), the syncache seems no work: "net.inet.tcp.syncache.count: 0" Maybe I must use IPFW+Natd? Jack Zhang >From: Barry Irwin >To: zhang jack >CC: security@FreeBSD.ORG >Subject: Re: syncache testing >Date: Tue, 16 Jul 2002 05:15:13 +0200 > > >Yes, I make use of ipfw and the separate NAT daemon, however. Given it some >more thought and I'm not sure if this would work as expected ( would be very >nice if it does, looking forward to the outcomes of your testing). > >The second method I suggested, will work as the packets are being processed >by the local host, however you haev an additioanl software component and >load on the gateway/firewall. The sould work for beefing up the security of >your web servers if you then firewalled them from connecting to anywhere but >there local subnet, as all the Internet faccing communications is via the >reverse proxy. > >Barry > >On Tue 2002-07-16 (02:58), zhang jack wrote: > > > > Thanks for your reply. > > I have used Ipfilter,did you mean using port redirecting? > > rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 > > can it pass though syncache? I know Ipfilter hook the packets > > in the IP level. > > > > > > > > >From: Barry Irwin > > >To: zhang jack > > >CC: security@FreeBSD.ORG > > >Subject: Re: syncache testing > > >Date: Tue, 16 Jul 2002 04:42:12 +0200 > > > > > >Hi > > > > > >I'm not overly familiar with the syncache code, but you _may_ be able to > > >make use of the syncache mitigation by having your server sitting behind > > the > > >BSD box, with traffic being natted. A solution that may work better is to > > >have a reverse proxy of sorts running on the BSD system which proxies > > >requests to your webservers. > > > > > >Barry > > > > > > > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > > > > > Hi, > > > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > > > but I found it *only* protect syn flooding of itself,can it act > > > > as a gateway( or firewall ) to protect my www server? > > > > can anyone help me? > > > > > >-- > > >Barry Irwin bvi@itouchlabs.com +27214875177 > > >Systems Administrator: Networks And Security > > >iTouch TAS http://www.itouchlabs.com South Africa > > > > > > > > > > _________________________________________________________________ > > 享用世界上最大的电子邮件系统— MSN Hotmail。http://www.hotmail.com/cn > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > >-- >Barry Irwin bvi@itouchlabs.com +27214875177 >Systems Administrator: Networks And Security >iTouch TAS http://www.itouchlabs.com South Africa > _________________________________________________________________ 与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.microsoft.com/cn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message