From owner-freebsd-hackers Thu Jan 16 15:34:18 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C9CF37B401 for ; Thu, 16 Jan 2003 15:34:17 -0800 (PST) Received: from heron.mail.pas.earthlink.net (heron.mail.pas.earthlink.net [207.217.120.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADFF143F1E for ; Thu, 16 Jan 2003 15:34:16 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0197.cvx22-bradley.dialup.earthlink.net ([209.179.198.197] helo=mindspring.com) by heron.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18ZJWO-0002UO-00; Thu, 16 Jan 2003 15:34:05 -0800 Message-ID: <3E274081.F2D2F873@mindspring.com> Date: Thu, 16 Jan 2003 15:30:09 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: Josh Brooks , Sean Chittenden , freebsd-hackers@freebsd.org Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2739D1.5402B7A6@mindspring.com> <15911.15188.728351.631767@emerger.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a477a8c492bc7d21ceeccf212678dac751350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Nate Williams wrote: > Except that it's acting as a router, and as such there is no 'setup' > except for the one he is using to configure/monitor the firewall via > SSH. > > In essence, a no-op in a dedicated firewall setup. He doesn't want just a dedicated firewall, since it won't save him from an attack like the ones he's getting. The only reasonable way to shed load is at L4/L7 interaction; if all he's doing is L3, then his firewall will likely not save him. According to most of the stuff he posted, though, he's running L4 rules in his firewall (peeking into TCP packets). A Netscreen is a stateful firewall, which will (in effect) be providing applicaiton layer proxies for the connections... this is also the way a load balancer acts, in order to shed load by limiting simultaneous connections (L4/L7). In any case, he's got something else strange going on, because his load under attack, according to his numbers, never gets above the load you'd expect on 10Mbit old-style ethernet, so he's got something screwed up; probably, he has a loop in his rules, and a packet gets trapped and reprocessed over and over again (a friend of mine had this problem back in early December). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message