| As for linux ipchains and ipmasqadm should work fine - but depending on
| timescales, you may want to condifuer the netfilter (iptables) facilities
| of the new 2.4 kernel (included Quality of Service so you could feasably
| limit the bandwidth of specific DoS attacks and leave some remaaining for
| web traffic). It also allows for stateful firewall rules.
Yes, 2.4 is far better for firewall, since it provides stateful
connection and rate limiting on packet types, so you can limit
connections from an IP to a port, from all IPs to a port, etc.
Since masquerade, port forwarding, SNAT and DNAT are all built into
the base package, you don't need to browse the net looking for this and
that additional packages to do what you want.
| Use the SYN-cookies facilities to help circumvent some of the effects of
| SYN/ACK floods.
| It would be best to set up a DMZ (Demilitiarized Zone) firewall -
| specifically, the firewall having 3 NICs. One interface to the internet,
| one to the screwed down local LAN and the third to the public web
| servers. This way you can drop some of the firewall security for the web
| servers without compromising the local LAN.
I guess... Cisco does it with their PIX (from memory) product, but I
like separate firewalls if I bother at all. That way if the outer gets
compromised the inner may yet hold. See below:
Inet =====[outer firewall]=========[inner firewall]===[trusted hosts]
While a three NIC firewall is more like:
Inet ============[firewall]============[trusted hosts]
You can do this with iptables easily, and with ipchains with a good
bit of thought. I would send a very limited number of services to the
servers, and never let it generate a SYN packet to the inner net.
The added security of dual firewalls is not cost effective in most
cases, without a doubt. If remote logins are really required you can use
a VPN server on a separate machine for highest security, but again It's
not cost effective in most cases.
They really ARE out to get you.
Make the rules? I don't make the rules. I don't even FOLLOW the rules!