[MLUG] [ot] Looking for high performance open source firewall

David Filion david at filiontech.com
Wed Dec 17 15:19:37 EST 2008 

I'd like to used a bridged firewall so that I can just drop it between 
the router and the load balancer.  I don't want to be NATing, it will 
really make a mess of things.  The router may have facilities built in, 
but it belongs to our ISP so I cannot access it.  PF won't do synproxy 
on a bridge and from what I've read, scrub, which cleans up the packets 
them selves, won't help with SYN attacks.

David


Andy Pintar wrote:
> I'd recommend PF, and this pdf:
> http://misc.allbsd.de/Vortrag/EuroBSDCon_2007//Peter_Hansteen/pf-firewall.pdf
> (as well as faq/pf on obsd's site)
>
> As for bridge mode, you will have to make changes via the console or 
> serial.  Is there a reason for running it on a bridge other than to hide 
> it?  This is an important point if you want to run a gui for configuring 
> it.  If you are smart about your filtering you won't be exposed from the 
> 'outside' and you could ssh in from an internal machine.  More 
> convenient...
> Anyway, the idea of runing a tcp syn proxy is to prevent syn floods from 
> affecting the destination server. However, you might not need a tcp syn 
> proxy, since scrub will do most of what you want, and if you're getting 
> seriously bombed with legit syn packets your external pipe will still be 
> congested.
>
>
> On Wed, 17 Dec 2008, David Filion wrote:
>
>   
>> Alexandre Teixeira wrote:
>>     
>>> Try Netfilter (IPTables) with Ethernet bonding driver of Linux in
>>> order to increase your throughput. If you don't like big commands and
>>> scripting maybe you can use Firewall Builder or this:
>>> http://www.iptablesfirewall.com/ss.php (never tested yet).
>>>
>>> Cheers
>>>
>>> Alexandre
>>>
>>>       
>> <snip/>
>>
>> Right now I'm not concerned with bandwidth (our ISP is always willing to
>> give us more).  The problem is the volume of SYN packets.  Unfortunately
>> iptables doesn't contain a synproxy.  FeeBSD/OpenBSD support pf which
>> does have a synproxy, but it doesn't support bridged interfaces so back
>> to square one. (I don't know, maybe a synproxy on a bridged interface
>> isn't even possible?)
>>
>> I should mention that I'm not currently under attack.  Been there, done
>> that.  I'm looking for ways to limit any future damage without spending
>> incredible amounts of money.
>>
>>
>> David
>>
>>
>> _______________________________________________
>> mlug mailing list
>> mlug at listserv.mlug.ca
>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>
>>     
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>

More information about the mlug mailing list