"Robert L. Harris" wrote:
>
> Thus spake ">jj@spiderentertainment.com (">jj@spiderentertainment.com):
>
> > lol, I guess you got your share of DoS.
> >
> > Well I looked at the IP-chains, looking at the source code now. I guess what I am
> > looking for is something that is very fast, since we do run some high volume sites.
>
> I have a p166 running my firewall and it's more than fast enough to hold up on a
> 768K dsl (loaned it to a afriend for a week).
Ditto - I'm running IPchains on a P75 with blown
L2 cache (a whopping 29 Bogomips) and it is bored
to tears on my 500K cable link. I know people are
using 486-33s as IPchains firewalls on ISDN links.
>
> > Second issue I would like to explore the possibility (if it does exist) to put a
> > special filter on the port 80 where the HEAD in HTTP is disallowed.
>
> Not sure about this.
You can write user-space code to do pretty much any
kind of socket or packet filtering you want. Check
out the libfw library
( http://www.rustcorp.com/linux/ipchains has a
pointer to it toward the bottom of the page).
> > Third issue: I hate ping flooders, they don't do anything but use your bandwidth.
> > Still I would like to protect the machine against that, so it is not busy trying to
> > respond to bogus ping floods.
>
> I just set it to deny icmp pings. The packets come in and just never go
> back. The firewall just drops them.
>
> > Fifth: A firewall that is fully configureable, meaning it would be hard for the
> > folks to tell what firewall it is.
>
> With ipchains you pick what ports you want open and closed, combine that with
> specific sources and destinations on those ports, you're ok. I allow 5
> legitimate services to my firewall, and only ssh through my firewall except
> http to my web server. port 80 on every other box is blocked. In addition I
> allow telnet to the firewall, but I run DTK on the telnet port so if anyone tries
> anything I'll know about it and they won't have a chance to get anywhere.
>
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris | Low quality in a product happens.
> Senior System Engineer | That doesn't mean it's right and
> at RnD Consulting. | definitely doesn't mean it should
> \_ be accepted. Require quality.
>
> http://www.rnd-consulting.com/~nomad
>
> DISCLAIMER:
> These are MY OPINIONS ALONE. I speak for no-one else.
>
> FYI:
> perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.
-- Joe Knapka
* What happens when a mysterious force meets an inscrutable object?
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.