I have worked mostly with ipfw and natd for freebsd.
if you are looking to do a lot of bandwidth this or open is going to be the way
to go. hope on the FreeBSD site and there is a link to Washington university's
site that explains the BSD tcp stack. according to them it is the fastest made
for multi-use operating systems. this kernal is what cdrom.com and yahoo
decided on for that reason.
the set up is pretty straight forward, one line in your kernal to turn on ipfw
and the you just use the ipfw command to set all of your rules. there is good
documentation in the online hand book on how to set it up at freebsd's site. or
you can do a `man ipfw` but if you want instructions on how to set firewall
rules you may want to look to some of the O'raley books.
I have used Free for 2 hacker conferences and plan on using it at Atlanta con
for all of the servers. I use the same kernal for all of the Time Warner web
sites. I get about 25 attempts a day, we haven't had a successful break in a
year and a half.
Open BSD is simular, supposedly you have more control and configurablity
(alough I didn't see anything I could do with it that I couldn't do with free)
but I found it a bit harder to set up. (alough that may be due to me having
been so used to using Free)
On 14-Jan-00 ">jj@spiderentertainment.com wrote:
> lol, I guess you got your share of DoS.
>
> Well I looked at the IP-chains, looking at the source code now. I guess what
> I am
> looking for is something that is very fast, since we do run some high volume
> sites.
>
> Second issue I would like to explore the possibility (if it does exist) to
> put a
> special filter on the port 80 where the HEAD in HTTP is disallowed.
>
> Third issue: I hate ping flooders, they don't do anything but use your
> bandwidth.
> Still I would like to protect the machine against that, so it is not busy
> trying
> to
> respond to bogus ping floods.
>
> Fifth: A firewall that is fully configureable, meaning it would be hard for
> the
> folks to tell what firewall it is.
>
> Tho this will prevent 90% of DoS, and 90% of hack attempts.
>
> I think I can live with 10% "hack think tanks" breaking in......... just
> backup
> everyday.
>
>
> I'm working on a really interesting personal project: To create such
> application
> that will alter the actual kernel to insert its code into it. You can think
> of
> "Bark
> Orffice", but alot more suffisticated, since it takes alot to alter the
> actual
> kernel. Ie, is the SMP compiled or not, what version etc. But it looks very
> good
> so
> far. In the first change I'm just doing raw source apply to the kernel and
> testing
>
> it. First goal: to hide traffic within the ping packets: Pattern encoding to
> make
> it
> harder for anyone to detect.
>
> What do you folks think ?
>
> Thx.
>
> ">jj@spiderentertainment.com wrote:
>
>> Sorry actually I meant to say is there any free firewall for BSD not
>> linux.
>>
>> --
>> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
>> body.
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
> body.
Today is National Existential Ennui Awareness Day.
-*HUGME*-
Your Friendly Unix Administrator
">hugme@hugme.org
www.hugme.org
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.