Date: Thu, 16 Jan 2003 15:30:09 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: Nate Williams <nate@yogotech.com> Cc: Josh Brooks <user@mail.econolodgetulsa.com>, Sean Chittenden <sean@chittenden.org>, freebsd-hackers@freebsd.org Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <3E274081.F2D2F873@mindspring.com> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2739D1.5402B7A6@mindspring.com> <15911.15188.728351.631767@emerger.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Williams wrote: > Except that it's acting as a router, and as such there is no 'setup' > except for the one he is using to configure/monitor the firewall via > SSH. > > In essence, a no-op in a dedicated firewall setup. He doesn't want just a dedicated firewall, since it won't save him from an attack like the ones he's getting. The only reasonable way to shed load is at L4/L7 interaction; if all he's doing is L3, then his firewall will likely not save him. According to most of the stuff he posted, though, he's running L4 rules in his firewall (peeking into TCP packets). A Netscreen is a stateful firewall, which will (in effect) be providing applicaiton layer proxies for the connections... this is also the way a load balancer acts, in order to shed load by limiting simultaneous connections (L4/L7). In any case, he's got something else strange going on, because his load under attack, according to his numbers, never gets above the load you'd expect on 10Mbit old-style ethernet, so he's got something screwed up; probably, he has a loop in his rules, and a packet gets trapped and reprocessed over and over again (a friend of mine had this problem back in early December). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E274081.F2D2F873>