Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

[Avleen Vig <lists-nanog () silverwraith com>]

On Sat, 18 Jan 2003, Scott Francis wrote:

> > 2. I happen to like a host-based firewall (a firewall running on a normal
> > user OS like FreeBSD) better than an appliance.  You get to do anything
> > you need with it, you have a full compliment of unix tools like grep and
> > awk and tcpdump and expect, etc. - it seems like you have more control.
> > Assuming (for a moment) that performance were equal, does anyone else feel
> > this way ?  Does anyone else prefer a normal system for a firewall over,
> > say, a PIX ?
> I'm with you on that, mainly for (a) flexibility of configuration, (b)
> ease/speed of upgrades/patches, and (c) price involved in purchase and
> maintenance. Also as you mentioned, a firewall that starts out just filtering
> can later be modified easily to capture packets for analysis later, run
> active or passive intrusion detection, etc.

I agree on pretty much all the points there :-)

> > 3. I am not that high profile ... but what do the high profile (shell
> > servers like foonet and EFnet irc server operators) people use ?  Would
> > any of those people consider even for a moment using a FreeBSD+ipfw system
> > for their packet filtering and rate shaping ?
> Avleen Vig may be able to give an answer from involvement with the SAFE
> project, or at least some interesting statistics ... :)

:-) Thanks! (unfortauntely SAFE has hit a little snag right now and we're
looking for some kind body to host our scans for us.. if anyone knows of
someone willing to do this, please let me know. It's very low bandwidth /
very low complaint generating).

My opinion on this is that IPFW sucks for packet filtering. IPFW2 is much
better - you can crunch hundreds of rules into just a handful but creating
groups of IP addresses and network block.
But I agree with Scott that a stateful packet filter like pf on OpenBSD or
ipf on FreeBSD is much better at this task.

Rate limiting using IPFW during a DoS/DDoS attack is nice if you don't
want your router to get overwhelmed trying to route huge numbers of
packets.
I can let the following advice:
On a FreeBSD router, with both IPF and IPFW compiled into the kernel,
packets are passed around like this:

INTERNET -> IPF -> IPFW+DUMMYNET -> Kernel -> IPF -> IPFW+DUMMYNET -> LAN
LAN -> IPF -> IPFW+DUMMYNET -> Kernel -> IPF -> IPFW+DUMMYNET -> INTERNET

This has the strong advantage of letting you filter off large numbers of
packets before doing your rate limiting.

The above combination works very well in my experience, during heavy DoS
attacks.
DRDoS on the other hand are more tricky.
but again, rate limiting to the destination can help with this.
With a stateful packet filter like pf/ipf, you can block out all packets
where the connection hasn't been established, and only allow in SYN's.
Then rate limit your SYN's to a very small number based on your needs.