why don't you read the ipfw manpage, install IPFW2, and rewrite
the ruleset using ipfw2 features (specifically the new syntax to
specify address sets) and dynamic rules:
something like
hosts="{4,6,44,52,12,99,130,21,244}"
ports="22,25,80,443"
allow proto tcp src-ip 1.2.3.${hosts}/24 dst-port $ports setup keep-state
deny tcp from any to any
should reduce the 200+ rules that you have to the 4-lines/2-rules above.
Similar approach for UDP.
I think a lot of this discussion would have been saved if you
had given a good read to the ipfw manpage instead of trying to
tickle the ego of the list readers suggesting that the netwhatever
thing might perform better than FreeBSD on your task.
And i am stepping out of the discussion now...
cheers
luigi
On Thu, Jan 16, 2003 at 03:56:43PM -0800, Josh Brooks wrote:
>
> > If I remember correctly he has less then 10Mbit
> > uplink and a lot of count rules for client accounting.
> > It is reason I recommend him to use userland accounting.
> > And as far as I understand a lot of count rules is
> > the reason for trouble.
>
> I removed all the count rules a week or so ago. Now I just have 2-300
> rules in the form:
>
> allow tcp from $IP to any established
> allow tcp from any to $IP established
> allow tcp from any to $IP 22,25,80,443 setup
> deny ip from any to $IP
>
> and I have that same set in there about 50-70 times - one for each
> customer IP address hat has requested it. That's it :)
>
> So each packet I get goes through about 5 rules at the front to check for
> bogus packets, then about 70 sets of the above until it either matches one
> of those, or goes out the end with the default allow rule.
>
> I _could_ put a ruleset like the above in for every customer, but then I
> would have about 2000 rules - so I only put them in for the customers that
> ask. But again, even though every day I put in more and more "special"
> blocks for DoS packets, every day there is some new DoS packet that I have
> never seen before that hits me at thousands of packets per second, and all
> of them flow through that entire ruleset.
> -----
>
> So I am going to:
>
> a) do the thing where I specify the interface for all my allow rules -
> that sounds like it will help a lot - 3 out of the 4 rules in the set
> above are allow rules - might as well push them through as soon as they
> get there.
>
> b) get better at blocking bogus packets every day :)
>
> c) start getting more complicated rate shaping with ipfw to limit icmp
> echo response and RSTs, etc.
>
> But I still don't know if any of that helps if I get a 20,000
> packet/second UDP flood to a valid port on an internal machine...
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-hackers" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
