Hello,
in early January this year there was a discussion about the way ipfw
interacts with ipsec. Last November ipfw was changed to process ipsec
datagrams twice: Once before and a second time after the decoding
procedure. This makes life easier for people who use gif tunnels with
ipsec transport
Hi!
For a long time I'v been disapointed with features in ports system. No ports
conflicts checking and other stuff.
Last year I'v begun make some things - I'v found obsoleted bin/13649 and
ports/13650 PRs that introduce a ports conflics checking, I'v asked in
freebsd-ports and portmgr about this
Hmmm. This looks interesting. I'll review your patches this weekend,
OK?
- Jordan
On Thursday, January 16, 2003, at 09:15 AM, Sergey Matveychuk wrote:
Hi!
For a long time I'v been disapointed with features in ports system. No
ports
conflicts checking and other stuff.
Last year I'v begun mak
Hi,
If I have a large network with high profile hosts (50+ shell servers, 50
or more different ircds running) am I wasting my time trying to hack and
tweak a FreeBSD host-based firewall running ipfw ?
I am getting hammered by a different (D)DoS attack every single day - it's
always something new
Josh Brooks wrote:
> If I have a large network with high profile hosts (50+ shell servers, 50
> or more different ircds running) am I wasting my time trying to hack and
> tweak a FreeBSD host-based firewall running ipfw ?
>
> I am getting hammered by a different (D)DoS attack every single day - it
Thank you for that advice - it is very well taken.
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this case fbsd+ipfw) ? Or woul
> Obviously, my goal is to mitigate as much as possible - I have accepted
> that I cannot stop all DDoS - my question is, do serious people ever
> attempt to do the mitigation/load shedding with a host-based firewall (in
> this case fbsd+ipfw) ? Or would all serious people interested in
> mitigati
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
The problem is, I have a few hundred ipfw rules (there are over 200
machines behind t
> Again, thank you very much for your advice and comments - they are very
> well taken.
>
> I will clarify and say that the fbsd system I am using / talking about is
> a _dedicated_ firewall. Only port 22 is open on it.
Ah, OK. That wasn't clear from your emails.
> The problem is, I have a few
> As far as the suggestion to use the FreeBSD box in bridging mode, I
> can't speak to that. My attempts to do so were less than successful, so
> I stuck with the more 'common' router/firewall combination.
In case you are still interested in running an ipfw-based FreeBSD firewall
in bridging mod
Nate,
So you are saying that if I put in:
ipfw add 1 deny tcp from any to 10.10.10.10 6667
That an incoming packet for 10.10.10.10 on port 6667 will go through the
rule set _twice_ (once for each interface) ? I don't understand this - if
it comes in on the external and hits that rule, it i
On Thu, Jan 16, 2003 at 08:15:44PM +0300, Sergey Matveychuk wrote:
> It was 1 December 2002. Till now there is no reactions.
> I'v wrote a few mails to portmgr but I'v just ignored.
You've forgotten that we've been deep in the middle of a release cycle
for the past several months. I want to look
Hello,
Is there any possibility of helping me to get started FreeBSD with SMP
option (and "no SMP" works okay) on modern 2 Xeon procs server?
I have about two weeks for accomplishing that, after that machine either
goes under Linux, or even under Windows, as there is a complementary
(and very n
> So you are saying that if I put in:
>
> ipfw add 1 deny tcp from any to 10.10.10.10 6667
>
> That an incoming packet for 10.10.10.10 on port 6667 will go through the
> rule set _twice_ (once for each interface) ?
No, that much is true. However, you want to optimize your firewall for
packe
The 'firewall' manual page is a must-read.
http://www.freebsd.org/cgi/man.cgi?query=firewall&apropos=0&sektion=0&manpath=FreeBSD+4.7-stable&format=html
I recommend that you first construct your firewall without worrying
too much about optimizing it. Let it run a while, then use
> You don't want to stick the 'block abnormal packets' rules at the top of
> the list, IMO. You want those at the end, since abnormal packets are
> *usually* the exception. Optimize for the standard case.
Wow - that is _very interesting_ that you say this. We were having a
similar discussion
:My problem is that every time I add a new rule to the top, a new kind of
:attack is used, and gets through just fine - so I have 12K packets/s
:coming through all 300 rules of mine no matter what I put in :)
:
:thanks again for your help and comments.
If attacks are a predominant problem for
Josh Brooks wrote:
Thank you for that advice - it is very well taken.
Obviously, my goal is to mitigate as much as possible - I have accepted
that I cannot stop all DDoS - my question is, do serious people ever
attempt to do the mitigation/load shedding with a host-based firewall (in
this case fb
> > You don't want to stick the 'block abnormal packets' rules at the top of
> > the list, IMO. You want those at the end, since abnormal packets are
> > *usually* the exception. Optimize for the standard case.
>
> Wow - that is _very interesting_ that you say this. We were having a
> similar d
>
> If attacks are a predominant problem for you, I recommend sticking a
> machine in between your internet connection and everything else whos
Actually this is what I already do - my ISP does all the routing, and it
feeds in one interface of my freebsd machine, and everything else is on
t
Josh Brooks wrote:
> Thank you for that advice - it is very well taken.
>
> Obviously, my goal is to mitigate as much as possible - I have accepted
> that I cannot stop all DDoS - my question is, do serious people ever
> attempt to do the mitigation/load shedding with a host-based firewall (in
> t
:per second down its throat, it chokes _hard_. You think that optimizing
:my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw
:firewall with 1-200 rules running on it ?
:
:thanks.
Run 'ipfw -v list' on it.
-Matt
> Again, thank you very much for your advice and comments - they are very
> well taken.
>
> I will clarify and say that the fbsd system I am using / talking about is
> a _dedicated_ firewall. Only port 22 is open on it.
Do not open this port outside
> The problem is, I have a few hundred ipfw ru
> Run 'ipfw -v list' on it.
Yes .. I do that ... and it shows me a list of my firewall rules. I
usually use `ipfw show`. What is the difference, and what does this
accomplish ? Sorry if I am missing somthing.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hacker
Josh Brooks wrote:
Again, thank you very much for your advice and comments - they are very
well taken.
I will clarify and say that the fbsd system I am using / talking about is
a _dedicated_ firewall. Only port 22 is open on it.
The problem is, I have a few hundred ipfw rules (there are over 20
Josh Brooks wrote:
> So, you say that a poorly configured netscreen is no better than a poorly
> configured freebsd+ipfw ... but what about the best possibly configured
> netscreen vs. the best possibly configured freebsd+ipfw ?
The answer to that particular question depends on what you mean
by "c
> Try this simple ruleset:
>
> possible deny log tcp from any to any setup tcpoptions !mss
>
> ipfw add allow ip from any to any out
> ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> ipfw add deny log ip from any to any
I'd limit these to the outside interface, for performance rules.
:
:
:> Run 'ipfw -v list' on it.
:
:Yes .. I do that ... and it shows me a list of my firewall rules. I
:usually use `ipfw show`. What is the difference, and what does this
:accomplish ? Sorry if I am missing somthing.
What I mean is, post the results. There might be some obvious
> > So, you say that a poorly configured netscreen is no better than a poorly
> > configured freebsd+ipfw ... but what about the best possibly configured
> > netscreen vs. the best possibly configured freebsd+ipfw ?
>
> The answer to that particular question depends on what you mean
> by "configur
On Thu, 16 Jan 2003, Josh Brooks wrote:
>
> You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> 256 megs ram ... and normally `top` says it is at about 80% idle, and
> everything is wonderful - but when someone shoves 12,000-15,000 packets
> per second down its throat, it
Nate Williams wrote:
> Except that it's acting as a router, and as such there is no 'setup'
> except for the one he is using to configure/monitor the firewall via
> SSH.
>
> In essence, a no-op in a dedicated firewall setup.
He doesn't want just a dedicated firewall, since it won't save
him from
Bernard van Gastel wrote, On 01/13/03 22:12:
Secondly: I have sound card problems on my laptop (Celeron 850, bla bla
bla). I get a strange message when I start the system :
pcm0: irq 10 at device 31.5 on pci0
pcm0: unable to map IO port space
device_probe_and_attach: pcm0 attach returned 6
Tr
> In any case, he's got something else strange going on, because
> his load under attack, according to his numbers, never gets above
> the load you'd expect on 10Mbit old-style ethernet, so he's got
> something screwed up; probably, he has a loop in his rules, and
> a packet gets trapped and repro
> > Try this simple ruleset:
> >
> > possible deny log tcp from any to any setup tcpoptions !mss
> >
> > ipfw add allow ip from any to any out
> > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > ipfw add deny log ip from any to any
>
> I'd limit these to the outside interface, for p
> will freebsd+ipfw always be worse in a ~10 meg/s throughput network
> that gets attacked all the time than a purpose-built appliance like a
> netscreen ?
I think its' been said that in general, the answer is no. It should
behave as well, and is some cases better. There are cases where it will
> > > Try this simple ruleset:
> > >
> > > possible deny log tcp from any to any setup tcpoptions !mss
> > >
> > > ipfw add allow ip from any to any out
> > > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > > ipfw add deny log ip from any to any
> >
> > I'd limit these to the outsid
> Nate Williams wrote:
> > Except that it's acting as a router, and as such there is no 'setup'
> > except for the one he is using to configure/monitor the firewall via
> > SSH.
> >
> > In essence, a no-op in a dedicated firewall setup.
>
> He doesn't want just a dedicated firewall, since it won'
> > In any case, he's got something else strange going on, because
> > his load under attack, according to his numbers, never gets above
> > the load you'd expect on 10Mbit old-style ethernet, so he's got
> > something screwed up; probably, he has a loop in his rules, and
> > a packet gets trapped
> >
> > If attacks are a predominant problem for you, I recommend sticking a
> > machine in between your internet connection and everything else whos
>
> Actually this is what I already do - my ISP does all the routing, and it
> feeds in one interface of my freebsd machine, and everything
> If I remember correctly he has less then 10Mbit
> uplink and a lot of count rules for client accounting.
> It is reason I recommend him to use userland accounting.
> And as far as I understand a lot of count rules is
> the reason for trouble.
I removed all the count rules a week or so ago. Now
> > If I remember correctly he has less then 10Mbit
> > uplink and a lot of count rules for client accounting.
> > It is reason I recommend him to use userland accounting.
> > And as far as I understand a lot of count rules is
> > the reason for trouble.
>
> I removed all the count rules a week or
Josh Brooks wrote:
> I removed all the count rules a week or so ago. Now I just have 2-300
> rules in the form:
>
> allow tcp from $IP to any established
> allow tcp from any to $IP established
> allow tcp from any to $IP 22,25,80,443 setup
> deny ip from any to $IP
>
> and I have that same set
> > > > Try this simple ruleset:
> > > >
> > > > possible deny log tcp from any to any setup tcpoptions !mss
> > > >
> > > > ipfw add allow ip from any to any out
> > > > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > > > ipfw add deny log ip from any to any
> > >
> > > I'd limit t
why don't you read the ipfw manpage, install IPFW2, and rewrite
the ruleset using ipfw2 features (specifically the new syntax to
specify address sets) and dynamic rules:
something like
hosts="{4,6,44,52,12,99,130,21,244}"
ports="22,25,80,443"
allow proto tcp src-ip 1.2.3.${hosts}/24 d
Josh Brooks wrote:
> You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> 256 megs ram ... and normally `top` says it is at about 80% idle, and
> everything is wonderful - but when someone shoves 12,000-15,000 packets
> per second down its throat, it chokes _hard_. You thin
> PS: I still think that if your CPU pegs, you've got a loop in there
> somewhere. Most common case is a "reject" or "deny". Try changing
> all of them to "drop", instead, and see if that "fixes" it.
FWIW, deny == drop. The 'reject' rule is the one that sends out ICMP
and RST packets.
Nate
T
in :
extern int nswap; /* size of swap space */
in :
static int nswap; /* first block after the interleaved devs */
Is the extern pointing to this variable? (It seems so, don't see any other
such variable in the three)
If so, is there any problem with making nswap non-static?
Thanks
Mark
-
> On Thu, 16 Jan 2003, Josh Brooks wrote:
>
>
> >
> > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> > 256 megs ram ... and normally `top` says it is at about 80% idle, and
> > everything is wonderful - but when someone shoves 12,000-15,000 packets
> > per second dow
Josh Brooks wrote:
> My freebsd machine does _nothing_ but filter packets and run ssh.
>
> > ONLY purpose is to deal with attacks. With an entire cpu dedicated
> > to dealing with attacks you aren't likely to run out of CPU suds (at least
> > not before your attackers fills your inter
Hello!
I have found that Maestro2E refuses to produce sound if the total
buffer size is <16kB. For example, look at the following program:
int main(int argc,char *argv)
{
int I,J,K,SoundFD;
char Buf[256];
SoundFD=open("/dev/dsp",O_WRONLY);
if(SoundFD<0) return(1);
J=AFMT_U8;
ioctl(
Terry Lambert wrote:
> Josh Brooks wrote:
> > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
> > 256 megs ram ... and normally `top` says it is at about 80% idle, and
> > everything is wonderful - but when someone shoves 12,000-15,000 packets
> > per second down its thr
Josh Brooks wrote:
The problem is, I have a few hundred ipfw rules (there are over 200
machines behind this firewall) and so when a DDoS attack comes, every
packet has to traverse those hundreds of rules - and so even though the
firewall is doing nothing other than filtering packets, the cpu gets
At 2003-01-16T18:52:00Z, Josh Brooks <[EMAIL PROTECTED]> writes:
> If I have a large network with high profile hosts (50+ shell servers, 50
> or more different ircds running) am I wasting my time trying to hack and
> tweak a FreeBSD host-based firewall running ipfw ?
Out of curiosity, have you t
53 matches
Mail list logo
