Date: Thu, 29 May 2003 06:42:39 +0700 (ICT) From: Olivier Nicole <on@cs.ait.ac.th> To: meconlen@obfuscated.net Cc: freebsd-performance@freebsd.org Subject: Re: High performance IDS/Firewall Message-ID: <200305282342.GAA07972@banyan.cs.ait.ac.th> In-Reply-To: <3ED52FFF.3060903@obfuscated.net> (message from Michael Conlen on Wed, 28 May 2003 17:54:07 -0400) References: <3ED52FFF.3060903@obfuscated.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Michael, > I'm considering setting up a FreeBSD firewall/IDS system to handle > 60-80Mbit/sec of traffic. The box would have three adapters, two of them > bridging and one for access. I will place the IDS on the outside bridge > interface and apply IPFW rules on the system as needed. My concern is > what the failure order is if the system is under heavy load. I am working on the same sort of problem. I had that box, with 3 ethernet adapters that I used as a router for ages. Now that I have a real router, I thought I could use it as a firewall. I am not at the snort stage yet. Bridging works fine, but it seems that statefull rules needs a high end machine, even with a low traffic (I beleive I don't go beyond 5Mbps brusts). A couple of tricks when configuring your firewall: - incoming filter rules must be attached to the outside interface, while outgoing rules are attached to the inside interface (despite they are bridged, rules on the outside inteface would not catch outgoing packets, or rather, rules on the inside interface would catch them first, so if the inside interface has a deny all...) - while bridge(4) says that non IP packets are transmitted without filtering, it seems that ARP packets are passed through the firewall. I have no answer about the default fail safe, but I will certainly install a cron script that will reset the machine whenever it find it cannot communicate anymore. Bests Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305282342.GAA07972>