Re: [Efw-user] syn-flood prevention?

[Josh Carter]

Looks promising. As a pure firewall it should do well, will have to keep an eye 
on the development of some of the UTM features due later this year. (Squid, 
IPS, etc)


From: Matt Hayes [mailto:domin...@slackadelic.com]
Sent: Thursday, 12 February 2015 3:26 AM
To: efw-user@lists.sourceforge.net
Subject: Re: [Efw-user] syn-flood prevention?

I've been testing opnsense (opnsense.org) a pfsense fork.. 
really like it.

On Wed, Feb 11, 2015 at 11:10 AM, Jason 
mailto:phibro...@gmail.com>> wrote:
I've heard pfSense was a good Alternative to Endian... as I still run
this for my school/church.
I am looking for alteratives as well... I also run a UBNT EdgeRouter
Lite (which like he said below - is based on Juniper / Barocade CLI...
(its not Cisco or HP CLI...) and with the latest firmware update - there
is a bunch that you can do now from the GUI on the last tab is is in
a tree format.

Jason
On 2/11/15 3:18 AM, Andre Mueller wrote:
> Yes I can recommend Ubiquiti's EdgeRouters as "hardware based"
> alternative. I deployed serveral units of EdgeRouter lite and also some
> EdgeRouter Pro. The GUI does not allow to configure all details, but
> this can be accomplished with the CLI, which is very intuitive. The OS
> is based on the opensource OS of Vyatta (now part of Brocade).
> Unfortunately the free version offered by Brocade is missing a GUI.
>
> For our own purposes I will try the free version of Sophos, in order to
> replace our virtualized Endian firewall and router.
>
> best regards,
>
>
>
>
> Am 10.02.2015 um 14:31 schrieb AJ Weber:
>> I was a long-time user of EFW and liked the product, but I'm not telling
>> you anything you don't already know when I say that they've completely
>> ignored the distro and there's virtually no development or support any
>> longer.
>>
>> Someone here mentioned Ubiquiti's EdgeRouters a while back, so I bought
>> an EdgeRouter Lite.  It has been very stable, fast and secure.  It
>> doesn't have all of the "appliance" features, because it's designed as a
>> router/fw first.  But you can add debian packages to tweak it --
>> provided you keep in mind that it has finite cpu and memory.
>>
>> Would be nice if their OS was ready to run on any intel-based box, but
>> their prices are more-than-fair for the hardware.  And their forums are
>> very responsive from other users AND the developers.
>>
>> In my case, I replaced a EFW "PC" and a load-balancer with the one
>> EdgeRouter Lite for way-lower electric consumption and faster throughput.
>>
> --
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> ___
> Efw-user mailing list
> Efw-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/efw-user

--
The unauthorized disclosure or interception of e-mail is a federal crime. See 
18 U.S.C. Sec. 2517(4). This message is confidential and intended for the 
identified recipient only.  It may contain privileged or confidential 
information. This e-mail and any files transmitted with it are the property of 
the sender, are confidential and may be privileged, and are intended solely for 
the use of the individuals or parties to whom this e-mail is addressed. If you 
are not one of the named recipients or have received this message in error, 
please notify the sender immediately and delete this message. You are also 
hereby notified that any unauthorized dissemination, distribution, or copying 
of this information is strictly prohibited. The sender shall not be liable for 
any unauthorized use of, or inaccuracies resulting from additions to or 
deletions from, information originally contained in this transmission



--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user

 Charter Hall 
This e-mail message and any accompanying attachments may contain information 
that is confidential and subject to legal privilege.  If you are not the 
intended recipient, do not read, use, disseminate

Re: [Efw-user] syn-flood prevention?

[Josh Carter]

+1.

Moved from Endian ~12 months ago now.

I’ve found ipfire to be close to like for like replacement, with an appropriate 
level of community and developer support available when needed.

Just my 2c.

--JC


From: Matt Hayes [mailto:domin...@slackadelic.com]
Sent: Tuesday, 10 February 2015 3:02 AM
To: efw-user@lists.sourceforge.net
Subject: Re: [Efw-user] syn-flood prevention?

I'm only responding as most likely you will not get a response from Endian 
themselves, I'm not sure why it is not working if you have syn flood protection 
enabled already.  I myself am slowly moving from Endian Firewall Community as 
I'm not able to get any answers from Endian or their developers at all.
There are numerous security issues with the distribution specifically with SSH 
and openssl.  I'm moving to a more up to date and maintained firewall for my 
needs.

Good luck.

On Mon, Feb 9, 2015 at 9:41 AM, Andre Mueller 
mailto:andre.muel...@himmel-blau.com>> wrote:

Endian 3.0.devel : Community Version

Hello

I have the problem that our Endian installation configured as a router
(public subnet on the orange zone) is attacked on the routers
WAN-interface (Red uplink) by massive syn-flood "requests".

As we have checked on our Endian syn_cookies are activated, so the first
perquisite for protection against syn-flood attacks is active. But the
problem is that our router does respond to every syn-flood request
(SYN_SENT) and by doing so it saturates our WAN-/upload-Line.

Is there any possibility that we can prevent our router to send out any
SYN-packet, whenever a certain amount of not acknowledged SYN-packets
have sent out to the very same IP-destination (but on different ports)?


I would be grateful for any hint. Thanks in advance, Andre



--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user

 Charter Hall 
This e-mail message and any accompanying attachments may contain information 
that is confidential and subject to legal privilege.  If you are not the 
intended recipient, do not read, use, disseminate, distribute or copy this 
message or attachments.  If you have received this message in error, please 
advise Charter Hall by return e-mail or telephone (02) 8651 9000.  Any views 
expressed in this message are those of the individual sender, except where the 
sender expressly and with authority states them to be the views of Charter 
Hall.  Charter Hall cannot guarantee that this e-mail or any attachments are 
free of viruses or other conditions which may damage or interfere with data, 
hardware or software with which it might be used.
==
--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/___
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user

Re: [Efw-user] Bandwidth and Thruput

[Josh Carter]

This is good info here, but something to watch out for:

SKIPMIME image/* video/* audio/*

The above line will PREVENT all images, videos and audio from being scanned for 
viruses. There are obvious security implications with that, and you should 
evaluate your security requirements before applying that setting.


From: Farzan Qureshi [mailto:fqure...@rosmini.school.nz]
Sent: Thursday, 21 March 2013 11:21 AM
To: efw-user@lists.sourceforge.net
Subject: Re: [Efw-user] Bandwidth and Thruput

Hi Herbert,

I was having similar issues with endian firewall at our end. I have done some 
modifications to the TCP/IP stack manually and some optimization to 
dansguardian. It is working very well.

You can try following settings and hopefully this will fix your issues because 
it did for us. Remember to first reboot your endian firewall and once it is up 
access it through console and make changes to TCP/IP stack. But let me tell you 
I still haven't got enough time to figure out to make these changes of TCP/IP 
permanent. Because it reverts to default settings on reboot. But for 
dansguardian those settings are permanent.

I noticed that TTL for established connection is too big by default that is 
119:00 something...which is like a connection may live upto 5 days and hence 
choke available ports. (you can check this on status and go to connections)

Following are the instructions for you:


TCP/IP Stack Modifications


Edit:

nano /proc/sys/net/ipv4/tcp_max_orphans


Change figure to

8192




Run following three commands one by one:

echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl



Edit:

nano /proc/sys/net/ipv4/tcp_keepalive_probes


Change value to

5




Edit:

nano /etc/sysctl.conf



And change following values to reflect values shown below or add these values 
if they are not present:

net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphan = 8192
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1200

Save changes.




Run following commands one by one:

echo 1200 > 
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 131072 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max




==
DANSGUARDIAN AND ANTIVIRUS OPTIMIZATION
==

Edit file

nano /usr/lib/efw/dansguardian/default/settings



And enter/change following parameters:

MAXCHILDREN=500
MINCHILDREN=128
MINSPARECHILDREN=32
PREFORKCHILDREN=16
MAXSPARECHILDREN=256
MAXAGECHILDREN=1



Edit following file:

nano /etc/havp/havp.conf.tmpl



Add following parameters:

MAXSERVERS 150
SERVERNUMBER 50



Also add following parameters after following line:

STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS 
gnome-vfs xine

Add following parameters after above line in file:

RANGE true
SKIPMIME image/* video/* audio/*


Hope this helps.

Kind regards,

Farzan


On 20 March 2013 21:45, Herbert Appel 
mailto:postmas...@nx-networx.de>> wrote:
Hi,

thanks for your hints - I´ll check.

Herbert

Am 20.03.2013 um 09:38 schrieb Andre Mueller:

>
> Hello Herbert
>
> If possible I would first try, only for testing purposes, to switch off
> the proxy functionality. Futher I would try to make "measurements" by
> placing a computer in the Red subnet and by transferring large data
> to/from by simple protocol to an other computer in the green subnet.
> Also verifying if the green-interface is really working at 100Mbits and
> not at 10Mbits. Wow is the CPU load? And is /var/log eventually full?
>
> best regards, Andre
>
>
> Am 20.03.13 09:20, schrieb Herbert Appel:
>> Hello Andre,
>>
>> hmm - but what could be the reason for that decrease from 50MBit/s --> 
>> 7MBit/s?
>>
>> Herbert
>> Am 20.03.2013 um 09:10 schrieb Andre Mueller:
>>
>>>
>>> Hello Herbert
>>>
>>> We have FTTH with 50/10Mbits/s (waiting for 100/100) and are running EFW
>>> 2.5.1 Community Version as VM on VMware ESXi 4.1 on an single CPU board
>>> with Quad Core Xeon L5630 2.13 GHz together with two other Web-Servers
>>> VM's. Although we do not use any Proxy-functions (CLAVAV, AMAVIS,
>>> Content-Filter) we have full speed on the Green-interface in
>>> uploading/downloading towards/from Red-interface and GBit/s speed
>>> from/toward DMZ Orange-interface. CPU load does never exceed 5% and RAM
>>> we have assigned 1 GByte (used actually 50%).
>>>
>>> with best regards, Andre
>>>
>>>
>>> Am 20.03.13 07:40, schrieb Herbert Appel:
 Hello together,

 we use the latest version of EFW 2.51 in school.
 Since about one week we are connected to FTTH (FOS 100 as CPE) with 
 50MBit/s.
 On the red IF there are truely 50MBit/s, but on the green IF there are 
 only 7MBit/s.
 Of course the services decelerate the th

Re: [Efw-user] Bandwidth and Thruput

[Josh Carter]

As stated CPU / RAM are your primary concern here. If your CPU usage is high, 
your throughput will be limited as such. One other consideration for ClamAV is 
disk speed. The file is downloaded to your EFW disk, scanned by clamav, then 
passed through to your client. If the disk is slow, that can be a factor.

I have an INTEL atom based EFW running IPS/Proxy/CLAMAV etc and I'm able to 
fully utilise my 20mbit connection, however I do see ~90% cpu usage and I have 
an SSD hard drive to improve the 'speed' of clamav. I imagine you would need 
the newer generation, dual core atom's or a Core i3+ to cope with all the 
services on a 100/100mbit link.

Hope that's helpful.


From: compdoc [mailto:comp...@hotrodpc.com]
Sent: Thursday, 21 March 2013 12:43 AM
To: efw-user@lists.sourceforge.net
Subject: Re: [Efw-user] Bandwidth and Thruput

>the NICs are 3COM and Realtec 10/100MBit/s
>CPUload is about 80%

100baseT = 100 Mbps = 12.5 MBps

EFW depends on the speed of the host cpu and on the network cards. Because of 
overhead and the limits of older computer buses and cpus, I don't believe you 
will get much more than 7MBit/s using 100baseT nics.

I also do not believe 3Com nics are known for their speed.

What cpu is in the firewall, and how much ram? These are very important when 
processing your enabled services.




 Charter Hall 
This e-mail message and any accompanying attachments may contain information 
that is confidential and subject to legal privilege.  If you are not the 
intended recipient, do not read, use, disseminate, distribute or copy this 
message or attachments.  If you have received this message in error, please 
advise Charter Hall by return e-mail or telephone (02) 8908 4000.  Any views 
expressed in this message are those of the individual sender, except where the 
sender expressly and with authority states them to be the views of Charter 
Hall.  Charter Hall cannot guarantee that this e-mail or any attachments are 
free of viruses or other conditions which may damage or interfere with data, 
hardware or software with which it might be used.
==
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar___
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user