Thus spake ">jj@spiderentertainment.com (">jj@spiderentertainment.com):
> lol, I guess you got your share of DoS.
>
> Well I looked at the IP-chains, looking at the source code now. I guess what I am
> looking for is something that is very fast, since we do run some high volume sites.
I have a p166 running my firewall and it's more than fast enough to hold up on a
768K dsl (loaned it to a afriend for a week).
> Second issue I would like to explore the possibility (if it does exist) to put a
> special filter on the port 80 where the HEAD in HTTP is disallowed.
Not sure about this.
> Third issue: I hate ping flooders, they don't do anything but use your bandwidth.
> Still I would like to protect the machine against that, so it is not busy trying to
> respond to bogus ping floods.
I just set it to deny icmp pings. The packets come in and just never go
back. The firewall just drops them.
> Fifth: A firewall that is fully configureable, meaning it would be hard for the
> folks to tell what firewall it is.
With ipchains you pick what ports you want open and closed, combine that with
specific sources and destinations on those ports, you're ok. I allow 5
legitimate services to my firewall, and only ssh through my firewall except
http to my web server. port 80 on every other box is blocked. In addition I
allow telnet to the firewall, but I run DTK on the telnet port so if anyone tries
anything I'll know about it and they won't have a chance to get anywhere.
:wq!
---------------------------------------------------------------------------
Robert L. Harris | Low quality in a product happens.
Senior System Engineer | That doesn't mean it's right and
at RnD Consulting. | definitely doesn't mean it should
\_ be accepted. Require quality.
http://www.rnd-consulting.com/~nomad
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.