[MLUG] [ot] Looking for high performance open source firewall
Alexandre Teixeira
alexandre.abreu at gmail.com
Wed Dec 17 14:20:43 EST 2008
Linux TCP Stack does support some features for fighting SYN attacks. I don't
know if you have some case, but you can take a look at sysctl interface and
burst limit netfilter module.
--
Alexandre Teixeira
http://www.linkedin.com/in/inode
2008/12/17 David Filion <david at filiontech.com>
> Alexandre Teixeira wrote:
> > Try Netfilter (IPTables) with Ethernet bonding driver of Linux in
> > order to increase your throughput. If you don't like big commands and
> > scripting maybe you can use Firewall Builder or this:
> > http://www.iptablesfirewall.com/ss.php (never tested yet).
> >
> > Cheers
> >
> > Alexandre
> >
> <snip/>
>
> Right now I'm not concerned with bandwidth (our ISP is always willing to
> give us more). The problem is the volume of SYN packets. Unfortunately
> iptables doesn't contain a synproxy. FeeBSD/OpenBSD support pf which
> does have a synproxy, but it doesn't support bridged interfaces so back
> to square one. (I don't know, maybe a synproxy on a bridged interface
> isn't even possible?)
>
> I should mention that I'm not currently under attack. Been there, done
> that. I'm looking for ways to limit any future damage without spending
> incredible amounts of money.
>
>
> David
>
>
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/mlug-listserv.mlug.ca/attachments/20081217/15c97b6f/attachment.htm
More information about the mlug
mailing list