Date: Thu, 16 Jan 2003 12:46:08 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: Sean Chittenden <sean@chittenden.org> Cc: freebsd-hackers@freebsd.org, <nate@yogotech.com> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <20030116124254.J9642-100000@mail.econolodgetulsa.com> In-Reply-To: <20030116203739.GA34165@perrin.int.nxad.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Again, thank you very much for your advice and comments - they are very well taken. I will clarify and say that the fbsd system I am using / talking about is a _dedicated_ firewall. Only port 22 is open on it. The problem is, I have a few hundred ipfw rules (there are over 200 machines behind this firewall) and so when a DDoS attack comes, every packet has to traverse those hundreds of rules - and so even though the firewall is doing nothing other than filtering packets, the cpu gets all used up. I have definitely put rules at the very front of the ruleset to filter out bad packets, and obvious attacks, but there is a new one devised literally every day. ------ So, you say that a poorly configured netscreen is no better than a poorly configured freebsd+ipfw ... but what about the best possibly configured netscreen vs. the best possibly configured freebsd+ipfw ? thanks. On Thu, 16 Jan 2003, Sean Chittenden wrote: > > If I have a large network with high profile hosts (50+ shell servers, 50 > > or more different ircds running) am I wasting my time trying to hack and > > tweak a FreeBSD host-based firewall running ipfw ? > > The suggestion later on to use a FreeBSD appliance is likely the best > advice you've gotten. The only thing I'd suggest is to use ipfw in > bridging mode that way your firewall is non-existant as far as the > rest of the world is concerned. Don't do anything stateful and just > filter out crap (where your definition of crap is left up to you). > I've used PIX's before and have even gone so far as to work for Cisco > for a while, so while I'm not allowed to say anything negative about > the product (and won't ::wink::), I will suggest that you stick with > FreeBSD as your firewall. -sc > > -- > Sean Chittenden > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030116124254.J9642-100000>