2012/3/15 Chuck Swiger <cswi...@mac.com> I prefer IPFW myself, but you probably ran out of stateful rule slots. For > a high-volume services which is expected to be Internet-reachable (ie, port > 80 to a busy webserver), you really just don't want to have stateful > rules-- it's too easy to DoS the firewall itself, as you noticed. In any > event, you don't need state if you are just blacklisting attack sources. >
I too prefer ipfw, especially since adding blacklist IP addresses or networks to a table is extremely efficient. > You haven't really identified what you mean by "malformed", but maybe you > are talking about a SYN flood, in which case make sure that SYN cookies and > SYN cache are enabled... I'm still wondering, too. Are the packets malformed, or is this a SYN flood? - M _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
