[Shorewall-devel] Re: [Shorewall-users] Common Rules

Tom Eastep teastep@shorewall.net
Wed, 7 Aug 2002 10:48:28 -0700 (PDT)


On Wed, 7 Aug 2002, Tom Eastep wrote:

> 
> > 
> > PPS:
> > Regarding SYN floods.  I believe you actually do need SYN cookies enabled to
> > protect you from this kind of DOS.
> > Packet rate limits will ARBITRARILY drop incoming packets that exceed the
> > given threshold.
> > The problem is that the SYN packet it drops might actually be a Valid
> > connection attempt (not part of the SYN flood).
> > Therefore, even if your connection limits and defined timeouts keep your
> > system from running out of memory, you may still DROP valid connection
> > attempts.
> > 
> > As you probably already know, with SYN cookies once the system reaches a
> > certain number of USED connections it
> > simply hands these "cookies" back to the requesting client without
> > discrimination.  The vaild clients will be able to use this cookie to
> > establish valid connections while the client doing the SYN flood won't make
> > a connection.
> >
> 
> I'm aware of these facts but SYN cookies can be enabled by a user without
> any help from Shorewall whereas the rate-limiting code would be difficult
> for a user to insert into Shorwall's ruleset. I've taken that view toward
> a lot of things in /proc/sys/net/ipv4 -- if the user wants it, then the 
> user can set it.
> 
> Now that Shorewall is reaching maturity, I can consider starting to 
> intergrate more of those parameters (as I did with proxy_arp in 1.3.5).
>  

The other thing to keep in mind about SYN cookies is that they really need 
to be enabled on your servers and not on your firewall. Your firewall 
shouldn't be hosting any services (unless you're a one- or two-system 
shop).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net