[MLUG] [ot] Looking for high performance open source firewall

[Andy Pintar]

I'd recommend PF, and this pdf:
http://misc.allbsd.de/Vortrag/EuroBSDCon_2007//Peter_Hansteen/pf-firewall.pdf
(as well as faq/pf on obsd's site)

As for bridge mode, you will have to make changes via the console or 
serial.  Is there a reason for running it on a bridge other than to hide 
it?  This is an important point if you want to run a gui for configuring 
it.  If you are smart about your filtering you won't be exposed from the 
'outside' and you could ssh in from an internal machine.  More 
convenient...
Anyway, the idea of runing a tcp syn proxy is to prevent syn floods from 
affecting the destination server. However, you might not need a tcp syn 
proxy, since scrub will do most of what you want, and if you're getting 
seriously bombed with legit syn packets your external pipe will still be 
congested.


On Wed, 17 Dec 2008, David Filion wrote:

> Alexandre Teixeira wrote:
>> Try Netfilter (IPTables) with Ethernet bonding driver of Linux in
>> order to increase your throughput. If you don't like big commands and
>> scripting maybe you can use Firewall Builder or this:
>> http://www.iptablesfirewall.com/ss.php (never tested yet).
>>
>> Cheers
>>
>> Alexandre
>>
> <snip/>
>
> Right now I'm not concerned with bandwidth (our ISP is always willing to
> give us more).  The problem is the volume of SYN packets.  Unfortunately
> iptables doesn't contain a synproxy.  FeeBSD/OpenBSD support pf which
> does have a synproxy, but it doesn't support bridged interfaces so back
> to square one. (I don't know, maybe a synproxy on a bridged interface
> isn't even possible?)
>
> I should mention that I'm not currently under attack.  Been there, done
> that.  I'm looking for ways to limit any future damage without spending
> incredible amounts of money.
>
>
> David
>
>
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>