> Again, thank you very much for your advice and comments - they are very
> well taken.
>
> I will clarify and say that the fbsd system I am using / talking about is
> a _dedicated_ firewall. Only port 22 is open on it.
Do not open this port outside
> The problem is, I have a few hundred ipfw rules (there are over 200
> machines behind this firewall) and so when a DDoS attack comes, every
> packet has to traverse those hundreds of rules - and so even though the
> firewall is doing nothing other than filtering packets, the cpu gets all
> used up.
Try this simple ruleset:
possible deny log tcp from any to any setup tcpoptions !mss
ipfw add allow ip from any to any out
ipfw add allow ip from any to your.c.net{x,y,z,so on...}
ipfw add deny log ip from any to any
where your.c.net{x,y,z,so on...} is your /24 net and list
of hosts in this net.
If you have more then one /24 net use one rule
per each (see man ipfw).
Does this cover your needs?
(as I wrote accounting is different task)
> I have definitely put rules at the very front of the ruleset to filter out
> bad packets, and obvious attacks, but there is a new one devised literally
> every day.
I have 3000+ users with 1 or more IP each.
typical reconfiguration rate of one router:
0sw~(3)#zcat /var/log/all.0.gz | grep 'config now' | wc -l
91
0sw~(4)#zcat /var/log/all.1.gz | grep 'config now' | wc -l
90
0sw~(5)#zcat /var/log/all.2.gz | grep 'config now' | wc -l
92
_per day_
and it is very easy ... with ISPMS/ISPDB based on PostgreSQL
Do you interested?
--
@BABOLO http://links.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
