> Again, thank you very much for your advice and comments - they are very > well taken. > > I will clarify and say that the fbsd system I am using / talking about is > a _dedicated_ firewall. Only port 22 is open on it. Do not open this port outside
> The problem is, I have a few hundred ipfw rules (there are over 200 > machines behind this firewall) and so when a DDoS attack comes, every > packet has to traverse those hundreds of rules - and so even though the > firewall is doing nothing other than filtering packets, the cpu gets all > used up. Try this simple ruleset: possible deny log tcp from any to any setup tcpoptions !mss ipfw add allow ip from any to any out ipfw add allow ip from any to your.c.net{x,y,z,so on...} ipfw add deny log ip from any to any where your.c.net{x,y,z,so on...} is your /24 net and list of hosts in this net. If you have more then one /24 net use one rule per each (see man ipfw). Does this cover your needs? (as I wrote accounting is different task) > I have definitely put rules at the very front of the ruleset to filter out > bad packets, and obvious attacks, but there is a new one devised literally > every day. I have 3000+ users with 1 or more IP each. typical reconfiguration rate of one router: 0sw~(3)#zcat /var/log/all.0.gz | grep 'config now' | wc -l 91 0sw~(4)#zcat /var/log/all.1.gz | grep 'config now' | wc -l 90 0sw~(5)#zcat /var/log/all.2.gz | grep 'config now' | wc -l 92 _per day_ and it is very easy ... with ISPMS/ISPDB based on PostgreSQL Do you interested? -- @BABOLO http://links.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message