> > > > Try this simple ruleset:
> > > >
> > > > possible deny log tcp from any to any setup tcpoptions !mss
> > > >
> > > > ipfw add allow ip from any to any out
> > > > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > > > ipfw add deny log ip from any to any
> > >
> > > I'd limit these to the outside interface, for performance rules.
> > >
> > > # Whatever the interface is...
> > > outif="fxp0"
> > > ipfw add allow ip from any to any out via ${outif}
> > > ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif}
> > > ipfw add deny log ip from any to any via ${outif}
> > >
> > > etc...
> >
> > Your above ruleset seems to be correct ... if add
> > some rule for outcoming traffic.
> > I was too fast and keep in mind only incoming traffic.
> >
> > Effectivity depends on number of interfaces.
> > If I remember right, one external and one internal.
> > If such, the ruleset without interfaces defined
> > for allow rules is not worse then without interfaces IMHO.
>
> Not true. The packets still pass through 'both' interfaces, and as such
> the number of rules it must traverse is doubled (once for the internal,
> one for the external). Halving the # of ipfw rules is an easy way to
> decrease the load on a CPU. :)
>
> For most people, it makes little difference, but the user in question
> has a firewall that's overloaded, so 2x decrease in the # of rules might
> make the difference, since the 'load' is caused by packets that
> shouldn't be getting through..
The point is that DDOS goes against existing IP
addresses in internal net and will be passed through, so then faster
ruleset passes DOS packet then better ... for firewall :-)
--
@BABOLO http://links.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
