Kevin, > That's very helpful to know. So at this time are you doing NAT from the > router or simply passing all traffic and allowing the switch to sort it out? >
There is no NAT on my router. The setup looks like that: ISP--switch--FreeBSD-router---switch---firewall (nat, etc) THe switch is basicly one device with some vlans. My outside conectivity is done by BGP, my internal routing is using OSPF as an IGMP protocol. > You can google sflow for FreeBSD. There is an export tool for netflow which I > have used that exports as sflow via a bridge type conversion. > Works > incredibly well. Great, I'll look into that. Could You recomend some flow display/analysis software? > ICMP can be blocked safely but it does need to be specific. For example you > can allow ping and disallow bogus ICMP. You can safely block, for example, > UDP port 0 which is commonly attacked. > Ok. > If you do not wish to make it public, it's fine. However, you can send me > your current pf rules and I can take a look and provide some recommendations. > My firewall is basic and looks like that: http://pastebin.com/JJbLxHTS > Additionally, it would be good to know the switch you're using. I'm guessing > since it's sflow that it's Juniper. There are some very useful ACL's that can > be put in at the switch. I have both juniper ex2200 and cisco 2960s at hand. > > However, if the BSD box is either live locking or crashing then you need to > fix that first. > The BSD box drops network conectivity - OSPF fails first which causes my network to go offline. The host itself is working - I can access in via iLOM. > I would state that enabling polling can be done from the command line if it's > already enabled in the kernel. > > Enabling polling in itself without tweaking it could likely increase your > overall PPS limitations by 70%. So I recommend doing that immediately and > just placing it on your public facing NIC first. My ethernet cards use em driver. I can change it to igb cards in few weeks. Is it save to enable pooling on a production system? All best, jim _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
