Date: Tue, 20 May 2003 08:45:34 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: jeremie le-hen <le-hen_j@epita.fr> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack Message-ID: <20030520084338.W56510@odysseus.silby.com> In-Reply-To: <20030520095759.GA26095@carpediem.epita.fr> References: <BAEF3AC0.9998%ryan@mac2.net> <20030520095759.GA26095@carpediem.epita.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 20 May 2003, jeremie le-hen wrote: > Note that in fact, this might be achieved on your firewall (FreeBSD also > supports syncookies), but this would imply TCP SYN to be received by the > firewall itself, which in turn would forward the TCP connection to the > appropriate server once the connection would be fully established. > (I think a simple TCP tunnel with a NAT redirection to localhost should > work.) > > Regards, > -- > Jeremie aka TtZ/TataZ > jeremie.le-hen@epita.fr You could certainly pull that off with an application level proxy, but the disadvantage would be that the server would no longer be able to determine the source IP of the machines connecting to it. It would be possible to add the syncache / syncookies to ipfw so that it could be used to protect hosts behind it, but I don't think anyone has tried an implementation of that yet. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030520084338.W56510>