At 2003-01-16T18:52:00Z, Josh Brooks <[EMAIL PROTECTED]> writes:
> If I have a large network with high profile hosts (50+ shell servers, 50
> or more different ircds running) am I wasting my time trying to hack and
> tweak a FreeBSD host-based firewall running ipfw ?
Out of curiosity, have you t
Josh Brooks wrote:
The problem is, I have a few hundred ipfw rules (there are over 200
machines behind this firewall) and so when a DDoS attack comes, every
packet has to traverse those hundreds of rules - and so even though the
firewall is doing nothing other than filtering packets, the cpu gets
Terry Lambert wrote:
> Josh Brooks wrote:
> > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> > 256 megs ram ... and normally `top` says it is at about 80% idle, and
> > everything is wonderful - but when someone shoves 12,000-15,000 packets
> > per second down its thr
Hello!
I have found that Maestro2E refuses to produce sound if the total
buffer size is <16kB. For example, look at the following program:
int main(int argc,char *argv)
{
int I,J,K,SoundFD;
char Buf[256];
SoundFD=open("/dev/dsp",O_WRONLY);
if(SoundFD<0) return(1);
J=AFMT_U8;
ioctl(
Josh Brooks wrote:
> My freebsd machine does _nothing_ but filter packets and run ssh.
>
> > ONLY purpose is to deal with attacks. With an entire cpu dedicated
> > to dealing with attacks you aren't likely to run out of CPU suds (at least
> > not before your attackers fills your inter
> On Thu, 16 Jan 2003, Josh Brooks wrote:
>
>
> >
> > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> > 256 megs ram ... and normally `top` says it is at about 80% idle, and
> > everything is wonderful - but when someone shoves 12,000-15,000 packets
> > per second dow
in :
extern int nswap; /* size of swap space */
in :
static int nswap; /* first block after the interleaved devs */
Is the extern pointing to this variable? (It seems so, don't see any other
such variable in the three)
If so, is there any problem with making nswap non-static?
Thanks
Mark
-
> PS: I still think that if your CPU pegs, you've got a loop in there
> somewhere. Most common case is a "reject" or "deny". Try changing
> all of them to "drop", instead, and see if that "fixes" it.
FWIW, deny == drop. The 'reject' rule is the one that sends out ICMP
and RST packets.
Nate
T
Josh Brooks wrote:
> You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> 256 megs ram ... and normally `top` says it is at about 80% idle, and
> everything is wonderful - but when someone shoves 12,000-15,000 packets
> per second down its throat, it chokes _hard_. You thin
why don't you read the ipfw manpage, install IPFW2, and rewrite
the ruleset using ipfw2 features (specifically the new syntax to
specify address sets) and dynamic rules:
something like
hosts="{4,6,44,52,12,99,130,21,244}"
ports="22,25,80,443"
allow proto tcp src-ip 1.2.3.${hosts}/24 d
> > > > Try this simple ruleset:
> > > >
> > > > possible deny log tcp from any to any setup tcpoptions !mss
> > > >
> > > > ipfw add allow ip from any to any out
> > > > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > > > ipfw add deny log ip from any to any
> > >
> > > I'd limit t
Josh Brooks wrote:
> I removed all the count rules a week or so ago. Now I just have 2-300
> rules in the form:
>
> allow tcp from $IP to any established
> allow tcp from any to $IP established
> allow tcp from any to $IP 22,25,80,443 setup
> deny ip from any to $IP
>
> and I have that same set
> > If I remember correctly he has less then 10Mbit
> > uplink and a lot of count rules for client accounting.
> > It is reason I recommend him to use userland accounting.
> > And as far as I understand a lot of count rules is
> > the reason for trouble.
>
> I removed all the count rules a week or
> If I remember correctly he has less then 10Mbit
> uplink and a lot of count rules for client accounting.
> It is reason I recommend him to use userland accounting.
> And as far as I understand a lot of count rules is
> the reason for trouble.
I removed all the count rules a week or so ago. Now
> >
> > If attacks are a predominant problem for you, I recommend sticking a
> > machine in between your internet connection and everything else whos
>
> Actually this is what I already do - my ISP does all the routing, and it
> feeds in one interface of my freebsd machine, and everything
> > In any case, he's got something else strange going on, because
> > his load under attack, according to his numbers, never gets above
> > the load you'd expect on 10Mbit old-style ethernet, so he's got
> > something screwed up; probably, he has a loop in his rules, and
> > a packet gets trapped
> Nate Williams wrote:
> > Except that it's acting as a router, and as such there is no 'setup'
> > except for the one he is using to configure/monitor the firewall via
> > SSH.
> >
> > In essence, a no-op in a dedicated firewall setup.
>
> He doesn't want just a dedicated firewall, since it won'
> > > Try this simple ruleset:
> > >
> > > possible deny log tcp from any to any setup tcpoptions !mss
> > >
> > > ipfw add allow ip from any to any out
> > > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > > ipfw add deny log ip from any to any
> >
> > I'd limit these to the outsid
> will freebsd+ipfw always be worse in a ~10 meg/s throughput network
> that gets attacked all the time than a purpose-built appliance like a
> netscreen ?
I think its' been said that in general, the answer is no. It should
behave as well, and is some cases better. There are cases where it will
> > Try this simple ruleset:
> >
> > possible deny log tcp from any to any setup tcpoptions !mss
> >
> > ipfw add allow ip from any to any out
> > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > ipfw add deny log ip from any to any
>
> I'd limit these to the outside interface, for p
> In any case, he's got something else strange going on, because
> his load under attack, according to his numbers, never gets above
> the load you'd expect on 10Mbit old-style ethernet, so he's got
> something screwed up; probably, he has a loop in his rules, and
> a packet gets trapped and repro
Bernard van Gastel wrote, On 01/13/03 22:12:
Secondly: I have sound card problems on my laptop (Celeron 850, bla bla
bla). I get a strange message when I start the system :
pcm0: irq 10 at device 31.5 on pci0
pcm0: unable to map IO port space
device_probe_and_attach: pcm0 attach returned 6
Tr
Nate Williams wrote:
> Except that it's acting as a router, and as such there is no 'setup'
> except for the one he is using to configure/monitor the firewall via
> SSH.
>
> In essence, a no-op in a dedicated firewall setup.
He doesn't want just a dedicated firewall, since it won't save
him from
On Thu, 16 Jan 2003, Josh Brooks wrote:
>
> You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> 256 megs ram ... and normally `top` says it is at about 80% idle, and
> everything is wonderful - but when someone shoves 12,000-15,000 packets
> per second down its throat, it
> > So, you say that a poorly configured netscreen is no better than a poorly
> > configured freebsd+ipfw ... but what about the best possibly configured
> > netscreen vs. the best possibly configured freebsd+ipfw ?
>
> The answer to that particular question depends on what you mean
> by "configur
:
:
:> Run 'ipfw -v list' on it.
:
:Yes .. I do that ... and it shows me a list of my firewall rules. I
:usually use `ipfw show`. What is the difference, and what does this
:accomplish ? Sorry if I am missing somthing.
What I mean is, post the results. There might be some obvious
> Try this simple ruleset:
>
> possible deny log tcp from any to any setup tcpoptions !mss
>
> ipfw add allow ip from any to any out
> ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> ipfw add deny log ip from any to any
I'd limit these to the outside interface, for performance rules.
Josh Brooks wrote:
> So, you say that a poorly configured netscreen is no better than a poorly
> configured freebsd+ipfw ... but what about the best possibly configured
> netscreen vs. the best possibly configured freebsd+ipfw ?
The answer to that particular question depends on what you mean
by "c
Josh Brooks wrote:
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
The problem is, I have a few hundred ipfw rules (there are over 20
> Run 'ipfw -v list' on it.
Yes .. I do that ... and it shows me a list of my firewall rules. I
usually use `ipfw show`. What is the difference, and what does this
accomplish ? Sorry if I am missing somthing.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hacker
> Again, thank you very much for your advice and comments - they are very
> well taken.
>
> I will clarify and say that the fbsd system I am using / talking about is
> a _dedicated_ firewall. Only port 22 is open on it.
Do not open this port outside
> The problem is, I have a few hundred ipfw ru
:per second down its throat, it chokes _hard_. You think that optimizing
:my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw
:firewall with 1-200 rules running on it ?
:
:thanks.
Run 'ipfw -v list' on it.
-Matt
Josh Brooks wrote:
> Thank you for that advice - it is very well taken.
>
> Obviously, my goal is to mitigate as much as possible - I have accepted
> that I cannot stop all DDoS - my question is, do serious people ever
> attempt to do the mitigation/load shedding with a host-based firewall (in
> t
>
> If attacks are a predominant problem for you, I recommend sticking a
> machine in between your internet connection and everything else whos
Actually this is what I already do - my ISP does all the routing, and it
feeds in one interface of my freebsd machine, and everything else is on
t
> > You don't want to stick the 'block abnormal packets' rules at the top of
> > the list, IMO. You want those at the end, since abnormal packets are
> > *usually* the exception. Optimize for the standard case.
>
> Wow - that is _very interesting_ that you say this. We were having a
> similar d
Josh Brooks wrote:
Thank you for that advice - it is very well taken.
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this case fb
:My problem is that every time I add a new rule to the top, a new kind of
:attack is used, and gets through just fine - so I have 12K packets/s
:coming through all 300 rules of mine no matter what I put in :)
:
:thanks again for your help and comments.
If attacks are a predominant problem for
> You don't want to stick the 'block abnormal packets' rules at the top of
> the list, IMO. You want those at the end, since abnormal packets are
> *usually* the exception. Optimize for the standard case.
Wow - that is _very interesting_ that you say this. We were having a
similar discussion
The 'firewall' manual page is a must-read.
http://www.freebsd.org/cgi/man.cgi?query=firewall&apropos=0&sektion=0&manpath=FreeBSD+4.7-stable&format=html
I recommend that you first construct your firewall without worrying
too much about optimizing it. Let it run a while, then use
> So you are saying that if I put in:
>
> ipfw add 1 deny tcp from any to 10.10.10.10 6667
>
> That an incoming packet for 10.10.10.10 on port 6667 will go through the
> rule set _twice_ (once for each interface) ?
No, that much is true. However, you want to optimize your firewall for
packe
Hello,
Is there any possibility of helping me to get started FreeBSD with SMP
option (and "no SMP" works okay) on modern 2 Xeon procs server?
I have about two weeks for accomplishing that, after that machine either
goes under Linux, or even under Windows, as there is a complementary
(and very n
On Thu, Jan 16, 2003 at 08:15:44PM +0300, Sergey Matveychuk wrote:
> It was 1 December 2002. Till now there is no reactions.
> I'v wrote a few mails to portmgr but I'v just ignored.
You've forgotten that we've been deep in the middle of a release cycle
for the past several months. I want to look
Nate,
So you are saying that if I put in:
ipfw add 1 deny tcp from any to 10.10.10.10 6667
That an incoming packet for 10.10.10.10 on port 6667 will go through the
rule set _twice_ (once for each interface) ? I don't understand this - if
it comes in on the external and hits that rule, it i
> As far as the suggestion to use the FreeBSD box in bridging mode, I
> can't speak to that. My attempts to do so were less than successful, so
> I stuck with the more 'common' router/firewall combination.
In case you are still interested in running an ipfw-based FreeBSD firewall
in bridging mod
> Again, thank you very much for your advice and comments - they are very
> well taken.
>
> I will clarify and say that the fbsd system I am using / talking about is
> a _dedicated_ firewall. Only port 22 is open on it.
Ah, OK. That wasn't clear from your emails.
> The problem is, I have a few
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
The problem is, I have a few hundred ipfw rules (there are over 200
machines behind t
> Obviously, my goal is to mitigate as much as possible - I have accepted
> that I cannot stop all DDoS - my question is, do serious people ever
> attempt to do the mitigation/load shedding with a host-based firewall (in
> this case fbsd+ipfw) ? Or would all serious people interested in
> mitigati
Thank you for that advice - it is very well taken.
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this case fbsd+ipfw) ? Or woul
Josh Brooks wrote:
> If I have a large network with high profile hosts (50+ shell servers, 50
> or more different ircds running) am I wasting my time trying to hack and
> tweak a FreeBSD host-based firewall running ipfw ?
>
> I am getting hammered by a different (D)DoS attack every single day - it
Hi,
If I have a large network with high profile hosts (50+ shell servers, 50
or more different ircds running) am I wasting my time trying to hack and
tweak a FreeBSD host-based firewall running ipfw ?
I am getting hammered by a different (D)DoS attack every single day - it's
always something new
Hmmm. This looks interesting. I'll review your patches this weekend,
OK?
- Jordan
On Thursday, January 16, 2003, at 09:15 AM, Sergey Matveychuk wrote:
Hi!
For a long time I'v been disapointed with features in ports system. No
ports
conflicts checking and other stuff.
Last year I'v begun mak
Hi!
For a long time I'v been disapointed with features in ports system. No ports
conflicts checking and other stuff.
Last year I'v begun make some things - I'v found obsoleted bin/13649 and
ports/13650 PRs that introduce a ports conflics checking, I'v asked in
freebsd-ports and portmgr about this
Hello,
in early January this year there was a discussion about the way ipfw
interacts with ipsec. Last November ipfw was changed to process ipsec
datagrams twice: Once before and a second time after the decoding
procedure. This makes life easier for people who use gif tunnels with
ipsec transport
53 matches
Mail list logo
