Hello,
in early January this year there was a discussion about the way ipfw
interacts with ipsec. Last November ipfw was changed to process ipsec
datagrams twice: Once before and a second time after the decoding
procedure. This makes life easier for people who use gif tunnels with
ipsec transport
Hi!
For a long time I'v been disapointed with features in ports system. No ports
conflicts checking and other stuff.
Last year I'v begun make some things - I'v found obsoleted bin/13649 and
ports/13650 PRs that introduce a ports conflics checking, I'v asked in
freebsd-ports and portmgr about this
Hmmm. This looks interesting. I'll review your patches this weekend,
OK?
- Jordan
On Thursday, January 16, 2003, at 09:15 AM, Sergey Matveychuk wrote:
Hi!
For a long time I'v been disapointed with features in ports system. No
ports
conflicts checking and other stuff.
Last year I'v begun
Hi,
If I have a large network with high profile hosts (50+ shell servers, 50
or more different ircds running) am I wasting my time trying to hack and
tweak a FreeBSD host-based firewall running ipfw ?
I am getting hammered by a different (D)DoS attack every single day - it's
always something
Josh Brooks wrote:
If I have a large network with high profile hosts (50+ shell servers, 50
or more different ircds running) am I wasting my time trying to hack and
tweak a FreeBSD host-based firewall running ipfw ?
I am getting hammered by a different (D)DoS attack every single day - it's
Thank you for that advice - it is very well taken.
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this case fbsd+ipfw) ? Or
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this case fbsd+ipfw) ? Or would all serious people interested in
mitigating
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
The problem is, I have a few hundred ipfw rules (there are over 200
machines behind
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
Ah, OK. That wasn't clear from your emails.
The problem is, I have a few
As far as the suggestion to use the FreeBSD box in bridging mode, I
can't speak to that. My attempts to do so were less than successful, so
I stuck with the more 'common' router/firewall combination.
In case you are still interested in running an ipfw-based FreeBSD firewall
in bridging mode:
Nate,
So you are saying that if I put in:
ipfw add 1 deny tcp from any to 10.10.10.10 6667
That an incoming packet for 10.10.10.10 on port 6667 will go through the
rule set _twice_ (once for each interface) ? I don't understand this - if
it comes in on the external and hits that rule, it
On Thu, Jan 16, 2003 at 08:15:44PM +0300, Sergey Matveychuk wrote:
It was 1 December 2002. Till now there is no reactions.
I'v wrote a few mails to portmgr but I'v just ignored.
You've forgotten that we've been deep in the middle of a release cycle
for the past several months. I want to look
Hello,
Is there any possibility of helping me to get started FreeBSD with SMP
option (and no SMP works okay) on modern 2 Xeon procs server?
I have about two weeks for accomplishing that, after that machine either
goes under Linux, or even under Windows, as there is a complementary
(and very
So you are saying that if I put in:
ipfw add 1 deny tcp from any to 10.10.10.10 6667
That an incoming packet for 10.10.10.10 on port 6667 will go through the
rule set _twice_ (once for each interface) ?
No, that much is true. However, you want to optimize your firewall for
packets
The 'firewall' manual page is a must-read.
http://www.freebsd.org/cgi/man.cgi?query=firewallapropos=0sektion=0manpath=FreeBSD+4.7-stableformat=html
I recommend that you first construct your firewall without worrying
too much about optimizing it. Let it run a while, then use
You don't want to stick the 'block abnormal packets' rules at the top of
the list, IMO. You want those at the end, since abnormal packets are
*usually* the exception. Optimize for the standard case.
Wow - that is _very interesting_ that you say this. We were having a
similar discussion on
:My problem is that every time I add a new rule to the top, a new kind of
:attack is used, and gets through just fine - so I have 12K packets/s
:coming through all 300 rules of mine no matter what I put in :)
:
:thanks again for your help and comments.
If attacks are a predominant problem
Josh Brooks wrote:
Thank you for that advice - it is very well taken.
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this case
You don't want to stick the 'block abnormal packets' rules at the top of
the list, IMO. You want those at the end, since abnormal packets are
*usually* the exception. Optimize for the standard case.
Wow - that is _very interesting_ that you say this. We were having a
similar
If attacks are a predominant problem for you, I recommend sticking a
machine in between your internet connection and everything else whos
Actually this is what I already do - my ISP does all the routing, and it
feeds in one interface of my freebsd machine, and everything else is on
the
Josh Brooks wrote:
Thank you for that advice - it is very well taken.
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this
:per second down its throat, it chokes _hard_. You think that optimizing
:my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw
:firewall with 1-200 rules running on it ?
:
:thanks.
Run 'ipfw -v list' on it.
-Matt
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
Do not open this port outside
The problem is, I have a few hundred ipfw rules
Run 'ipfw -v list' on it.
Yes .. I do that ... and it shows me a list of my firewall rules. I
usually use `ipfw show`. What is the difference, and what does this
accomplish ? Sorry if I am missing somthing.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers
Josh Brooks wrote:
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
The problem is, I have a few hundred ipfw rules (there are over
Josh Brooks wrote:
So, you say that a poorly configured netscreen is no better than a poorly
configured freebsd+ipfw ... but what about the best possibly configured
netscreen vs. the best possibly configured freebsd+ipfw ?
The answer to that particular question depends on what you mean
by
Try this simple ruleset:
possible deny log tcp from any to any setup tcpoptions !mss
ipfw add allow ip from any to any out
ipfw add allow ip from any to your.c.net{x,y,z,so on...}
ipfw add deny log ip from any to any
I'd limit these to the outside interface, for performance rules.
#
:
:
: Run 'ipfw -v list' on it.
:
:Yes .. I do that ... and it shows me a list of my firewall rules. I
:usually use `ipfw show`. What is the difference, and what does this
:accomplish ? Sorry if I am missing somthing.
What I mean is, post the results. There might be some obvious
So, you say that a poorly configured netscreen is no better than a poorly
configured freebsd+ipfw ... but what about the best possibly configured
netscreen vs. the best possibly configured freebsd+ipfw ?
The answer to that particular question depends on what you mean
by configured.
On Thu, 16 Jan 2003, Josh Brooks wrote:
stuff about inserting a machine snipped
You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
256 megs ram ... and normally `top` says it is at about 80% idle, and
everything is wonderful - but when someone shoves 12,000-15,000
Nate Williams wrote:
Except that it's acting as a router, and as such there is no 'setup'
except for the one he is using to configure/monitor the firewall via
SSH.
In essence, a no-op in a dedicated firewall setup.
He doesn't want just a dedicated firewall, since it won't save
him from an
Bernard van Gastel wrote, On 01/13/03 22:12:
Secondly: I have sound card problems on my laptop (Celeron 850, bla bla
bla). I get a strange message when I start the system :
pcm0: Intel 82801BA (ICH2) irq 10 at device 31.5 on pci0
pcm0: unable to map IO port space
device_probe_and_attach: pcm0
In any case, he's got something else strange going on, because
his load under attack, according to his numbers, never gets above
the load you'd expect on 10Mbit old-style ethernet, so he's got
something screwed up; probably, he has a loop in his rules, and
a packet gets trapped and
Try this simple ruleset:
possible deny log tcp from any to any setup tcpoptions !mss
ipfw add allow ip from any to any out
ipfw add allow ip from any to your.c.net{x,y,z,so on...}
ipfw add deny log ip from any to any
I'd limit these to the outside interface, for performance
will freebsd+ipfw always be worse in a ~10 meg/s throughput network
that gets attacked all the time than a purpose-built appliance like a
netscreen ?
I think its' been said that in general, the answer is no. It should
behave as well, and is some cases better. There are cases where it will
Try this simple ruleset:
possible deny log tcp from any to any setup tcpoptions !mss
ipfw add allow ip from any to any out
ipfw add allow ip from any to your.c.net{x,y,z,so on...}
ipfw add deny log ip from any to any
I'd limit these to the outside interface, for
Nate Williams wrote:
Except that it's acting as a router, and as such there is no 'setup'
except for the one he is using to configure/monitor the firewall via
SSH.
In essence, a no-op in a dedicated firewall setup.
He doesn't want just a dedicated firewall, since it won't save
him
In any case, he's got something else strange going on, because
his load under attack, according to his numbers, never gets above
the load you'd expect on 10Mbit old-style ethernet, so he's got
something screwed up; probably, he has a loop in his rules, and
a packet gets trapped and
If I remember correctly he has less then 10Mbit
uplink and a lot of count rules for client accounting.
It is reason I recommend him to use userland accounting.
And as far as I understand a lot of count rules is
the reason for trouble.
I removed all the count rules a week or so ago.
Josh Brooks wrote:
I removed all the count rules a week or so ago. Now I just have 2-300
rules in the form:
allow tcp from $IP to any established
allow tcp from any to $IP established
allow tcp from any to $IP 22,25,80,443 setup
deny ip from any to $IP
and I have that same set in there
Try this simple ruleset:
possible deny log tcp from any to any setup tcpoptions !mss
ipfw add allow ip from any to any out
ipfw add allow ip from any to your.c.net{x,y,z,so on...}
ipfw add deny log ip from any to any
I'd limit these to the outside interface,
why don't you read the ipfw manpage, install IPFW2, and rewrite
the ruleset using ipfw2 features (specifically the new syntax to
specify address sets) and dynamic rules:
something like
hosts={4,6,44,52,12,99,130,21,244}
ports=22,25,80,443
allow proto tcp src-ip 1.2.3.${hosts}/24
Josh Brooks wrote:
You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
256 megs ram ... and normally `top` says it is at about 80% idle, and
everything is wonderful - but when someone shoves 12,000-15,000 packets
per second down its throat, it chokes _hard_. You think
PS: I still think that if your CPU pegs, you've got a loop in there
somewhere. Most common case is a reject or deny. Try changing
all of them to drop, instead, and see if that fixes it.
FWIW, deny == drop. The 'reject' rule is the one that sends out ICMP
and RST packets.
Nate
To
in sys/systm.h:
extern int nswap; /* size of swap space */
in vm/vm_swap.c:
static int nswap; /* first block after the interleaved devs */
Is the extern pointing to this variable? (It seems so, don't see any other
such variable in the three)
If so, is there any problem with making nswap
On Thu, 16 Jan 2003, Josh Brooks wrote:
stuff about inserting a machine snipped
You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
256 megs ram ... and normally `top` says it is at about 80% idle, and
everything is wonderful - but when someone shoves
Josh Brooks wrote:
My freebsd machine does _nothing_ but filter packets and run ssh.
ONLY purpose is to deal with attacks. With an entire cpu dedicated
to dealing with attacks you aren't likely to run out of CPU suds (at least
not before your attackers fills your internet
Hello!
I have found that Maestro2E refuses to produce sound if the total
buffer size is 16kB. For example, look at the following program:
int main(int argc,char *argv)
{
int I,J,K,SoundFD;
char Buf[256];
SoundFD=open(/dev/dsp,O_WRONLY);
if(SoundFD0) return(1);
J=AFMT_U8;
Terry Lambert wrote:
Josh Brooks wrote:
You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
256 megs ram ... and normally `top` says it is at about 80% idle, and
everything is wonderful - but when someone shoves 12,000-15,000 packets
per second down its throat, it
Josh Brooks wrote:
The problem is, I have a few hundred ipfw rules (there are over 200
machines behind this firewall) and so when a DDoS attack comes, every
packet has to traverse those hundreds of rules - and so even though the
firewall is doing nothing other than filtering packets, the cpu
At 2003-01-16T18:52:00Z, Josh Brooks [EMAIL PROTECTED] writes:
If I have a large network with high profile hosts (50+ shell servers, 50
or more different ircds running) am I wasting my time trying to hack and
tweak a FreeBSD host-based firewall running ipfw ?
Out of curiosity, have you tried
51 matches
Mail list logo