Again, thank you very much for your advice and comments - they are very well taken.
I will clarify and say that the fbsd system I am using / talking about is a _dedicated_ firewall. Only port 22 is open on it. The problem is, I have a few hundred ipfw rules (there are over 200 machines behind this firewall) and so when a DDoS attack comes, every packet has to traverse those hundreds of rules - and so even though the firewall is doing nothing other than filtering packets, the cpu gets all used up. I have definitely put rules at the very front of the ruleset to filter out bad packets, and obvious attacks, but there is a new one devised literally every day. ------ So, you say that a poorly configured netscreen is no better than a poorly configured freebsd+ipfw ... but what about the best possibly configured netscreen vs. the best possibly configured freebsd+ipfw ? thanks. On Thu, 16 Jan 2003, Sean Chittenden wrote: > > If I have a large network with high profile hosts (50+ shell servers, 50 > > or more different ircds running) am I wasting my time trying to hack and > > tweak a FreeBSD host-based firewall running ipfw ? > > The suggestion later on to use a FreeBSD appliance is likely the best > advice you've gotten. The only thing I'd suggest is to use ipfw in > bridging mode that way your firewall is non-existant as far as the > rest of the world is concerned. Don't do anything stateful and just > filter out crap (where your definition of crap is left up to you). > I've used PIX's before and have even gone so far as to work for Cisco > for a while, so while I'm not allowed to say anything negative about > the product (and won't ::wink::), I will suggest that you stick with > FreeBSD as your firewall. -sc > > -- > Sean Chittenden > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
