On Sat, 18 Jan 2003, Scott Francis wrote:
2. I happen to like a host-based firewall (a firewall running on a normal user OS like FreeBSD) better than an appliance. You get to do anything you need with it, you have a full compliment of unix tools like grep and awk and tcpdump and expect, etc. - it seems like you have more control. Assuming (for a moment) that performance were equal, does anyone else feel this way ? Does anyone else prefer a normal system for a firewall over, say, a PIX ? I'm with you on that, mainly for (a) flexibility of configuration, (b) ease/speed of upgrades/patches, and (c) price involved in purchase and maintenance. Also as you mentioned, a firewall that starts out just filtering can later be modified easily to capture packets for analysis later, run active or passive intrusion detection, etc.
I agree on pretty much all the points there :-)
3. I am not that high profile ... but what do the high profile (shell servers like foonet and EFnet irc server operators) people use ? Would any of those people consider even for a moment using a FreeBSD+ipfw system for their packet filtering and rate shaping ? Avleen Vig may be able to give an answer from involvement with the SAFE project, or at least some interesting statistics ... :)
:-) Thanks! (unfortauntely SAFE has hit a little snag right now and we're looking for some kind body to host our scans for us.. if anyone knows of someone willing to do this, please let me know. It's very low bandwidth / very low complaint generating). My opinion on this is that IPFW sucks for packet filtering. IPFW2 is much better - you can crunch hundreds of rules into just a handful but creating groups of IP addresses and network block. But I agree with Scott that a stateful packet filter like pf on OpenBSD or ipf on FreeBSD is much better at this task. Rate limiting using IPFW during a DoS/DDoS attack is nice if you don't want your router to get overwhelmed trying to route huge numbers of packets. I can let the following advice: On a FreeBSD router, with both IPF and IPFW compiled into the kernel, packets are passed around like this: INTERNET -> IPF -> IPFW+DUMMYNET -> Kernel -> IPF -> IPFW+DUMMYNET -> LAN LAN -> IPF -> IPFW+DUMMYNET -> Kernel -> IPF -> IPFW+DUMMYNET -> INTERNET This has the strong advantage of letting you filter off large numbers of packets before doing your rate limiting. The above combination works very well in my experience, during heavy DoS attacks. DRDoS on the other hand are more tricky. but again, rate limiting to the destination can help with this. With a stateful packet filter like pf/ipf, you can block out all packets where the connection hasn't been established, and only allow in SYN's. Then rate limit your SYN's to a very small number based on your needs.