Date: Tue, 16 Jul 2002 03:44:26 +0000 From: "zhang jack" <jack_zhangcl@hotmail.com> To: bvi@itouchlabs.com Cc: security@FreeBSD.ORG Subject: Re: syncache testing Message-ID: <F82K7Rz66lKjo0pzeSz00015b1f@hotmail.com>
next in thread | raw e-mail | index | archive | help
I have tested Ipfilter + syncache, it seems doesn't work. client 192.168.1.1 | __|_______ fxp0:192.168.1.2 Gateway __________ fxp1:10.0.0.1 | | www server 10.0.0.2 I make the rdr rule as: "rdr fxp0 192.168.1.2/32 port 80 -> 10.0.0.2 port 80" then I make syn flood to 192.168.1.2(on 192.168.1.1), the syncache seems no work: "net.inet.tcp.syncache.count: 0" Maybe I must use IPFW+Natd? Jack Zhang >From: Barry Irwin <bvi@itouchlabs.com> >To: zhang jack <jack_zhangcl@hotmail.com> >CC: security@FreeBSD.ORG >Subject: Re: syncache testing >Date: Tue, 16 Jul 2002 05:15:13 +0200 > > >Yes, I make use of ipfw and the separate NAT daemon, however. Given it some >more thought and I'm not sure if this would work as expected ( would be very >nice if it does, looking forward to the outcomes of your testing). > >The second method I suggested, will work as the packets are being processed >by the local host, however you haev an additioanl software component and >load on the gateway/firewall. The sould work for beefing up the security of >your web servers if you then firewalled them from connecting to anywhere but >there local subnet, as all the Internet faccing communications is via the >reverse proxy. > >Barry > >On Tue 2002-07-16 (02:58), zhang jack wrote: > > > > Thanks for your reply. > > I have used Ipfilter,did you mean using port redirecting? > > rdr fxp0 210.96.1.1 port 80 -> 192.168.1.1 port 80 > > can it pass though syncache? I know Ipfilter hook the packets > > in the IP level. > > > > > > > > >From: Barry Irwin <bvi@itouchlabs.com> > > >To: zhang jack <jack_zhangcl@hotmail.com> > > >CC: security@FreeBSD.ORG > > >Subject: Re: syncache testing > > >Date: Tue, 16 Jul 2002 04:42:12 +0200 > > > > > >Hi > > > > > >I'm not overly familiar with the syncache code, but you _may_ be able to > > >make use of the syncache mitigation by having your server sitting behind > > the > > >BSD box, with traffic being natted. A solution that may work better is to > > >have a reverse proxy of sorts running on the BSD system which proxies > > >requests to your webservers. > > > > > >Barry > > > > > > > > >On Tue 2002-07-16 (02:24), zhang jack wrote: > > > > > > > > Hi, > > > > I am testing syncache on FreeBSD 4.6 stable,and it works fine, > > > > but I found it *only* protect syn flooding of itself,can it act > > > > as a gateway( or firewall ) to protect my www server? > > > > can anyone help me? > > > > > >-- > > >Barry Irwin bvi@itouchlabs.com +27214875177 > > >Systems Administrator: Networks And Security > > >iTouch TAS http://www.itouchlabs.com South Africa > > > > > > > > > > _________________________________________________________________ > > 享用世界上最大的电子邮件系统— MSN Hotmail。http://www.hotmail.com/cn > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > >-- >Barry Irwin bvi@itouchlabs.com +27214875177 >Systems Administrator: Networks And Security >iTouch TAS http://www.itouchlabs.com South Africa > _________________________________________________________________ 与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.microsoft.com/cn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F82K7Rz66lKjo0pzeSz00015b1f>