[MLUG] [ot] Looking for high performance open source firewall
Andy Pintar
andy at hapoteh.net
Wed Dec 17 16:21:13 EST 2008
Yeah, well if your gateway is a bridge it's not feasible to run any sort
of proxy on it. I would be surprised if any other firewall out there can
do what you want in bridge mode, but please fill us in if you find out.
One thing I came across when searching is syn cookies:
http://forums.whirlpool.net.au/forum-replies-archive.cfm/1071065.html
http://cr.yp.to/syncookies.html
The other idea is that if you're not getting hit by syn floods ever then
don't worry about it for now... Anyway your net connection sounds weird,
not sure what you have going on there but INETS->ROUTER->LOAD_BALANCER is
weird. Why don't you explain the setup a bit? Maybe there's a better
spot to hide your firewall?
On Wed, 17 Dec 2008, David Filion wrote:
>
> I'd like to used a bridged firewall so that I can just drop it between
> the router and the load balancer. I don't want to be NATing, it will
> really make a mess of things. The router may have facilities built in,
> but it belongs to our ISP so I cannot access it. PF won't do synproxy
> on a bridge and from what I've read, scrub, which cleans up the packets
> them selves, won't help with SYN attacks.
>
> David
>
>
> Andy Pintar wrote:
>> I'd recommend PF, and this pdf:
>> http://misc.allbsd.de/Vortrag/EuroBSDCon_2007//Peter_Hansteen/pf-firewall.pdf
>> (as well as faq/pf on obsd's site)
>>
>> As for bridge mode, you will have to make changes via the console or
>> serial. Is there a reason for running it on a bridge other than to hide
>> it? This is an important point if you want to run a gui for configuring
>> it. If you are smart about your filtering you won't be exposed from the
>> 'outside' and you could ssh in from an internal machine. More
>> convenient...
>> Anyway, the idea of runing a tcp syn proxy is to prevent syn floods from
>> affecting the destination server. However, you might not need a tcp syn
>> proxy, since scrub will do most of what you want, and if you're getting
>> seriously bombed with legit syn packets your external pipe will still be
>> congested.
>>
>>
>> On Wed, 17 Dec 2008, David Filion wrote:
>>
>>
>>> Alexandre Teixeira wrote:
>>>
>>>> Try Netfilter (IPTables) with Ethernet bonding driver of Linux in
>>>> order to increase your throughput. If you don't like big commands and
>>>> scripting maybe you can use Firewall Builder or this:
>>>> http://www.iptablesfirewall.com/ss.php (never tested yet).
>>>>
>>>> Cheers
>>>>
>>>> Alexandre
>>>>
>>>>
>>> <snip/>
>>>
>>> Right now I'm not concerned with bandwidth (our ISP is always willing to
>>> give us more). The problem is the volume of SYN packets. Unfortunately
>>> iptables doesn't contain a synproxy. FeeBSD/OpenBSD support pf which
>>> does have a synproxy, but it doesn't support bridged interfaces so back
>>> to square one. (I don't know, maybe a synproxy on a bridged interface
>>> isn't even possible?)
>>>
>>> I should mention that I'm not currently under attack. Been there, done
>>> that. I'm looking for ways to limit any future damage without spending
>>> incredible amounts of money.
>>>
>>>
>>> David
>>>
>>>
>>> _______________________________________________
>>> mlug mailing list
>>> mlug at listserv.mlug.ca
>>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>>
>>>
>> _______________________________________________
>> mlug mailing list
>> mlug at listserv.mlug.ca
>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>
>
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>
More information about the mlug
mailing list