Re: [fw-wiz] TCP syncookies - firewall or host?

Why even allow the servers to see all of those options and thebn have to decide. I myself think PIX should drop it all at the external interfaces and never have to process anything further than that.

-----Original Message-----
From: Florin Andrei [mailto:florin@xxxxxxxxxxxxxxx]
Sent: Tuesday, April 3, 2007 04:13 PM
To: 'Firewall Wizards Security Mailing List'
Subject: [fw-wiz] TCP syncookies - firewall or host?

Speaking about SYN flood - where would you handle it, at the firewall
level, or at the host level?

Practical example:
A PIX-515E running v7.2.2, 128MB RAM
About 16 servers running Red Hat Enterprise 4, 8 GB RAM each, 4 CPU
cores (recent AMD64 CPUs), all of them behind the firewall

syncookies can be enabled either at the firewall level, or at the host
level. Also, all kinds of TCP parameters can be tweaked on the firewall
(intercept and connection limits) but also on the servers via the /proc

This sounds like a job for the firewall, but on the other hand all those
servers are very fast, there's a lot of them, and usually they're mostly
idle. So I'm very tempted to dump that task on the servers.

Pros and cons?

Florin Andrei
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
    ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
  • RE: Slow user logon on Terminal server after migration to Windows 2003
    ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
  • Re: medical records, web server, & stateful firewall vs packet filter
    ... > image and SQL servers directly (the image server link in particular ... The image and SQL servers ... the 2 firewall layers should run different s/ware - the idea is that a major ... security always cost a lot more than you expect (this comes up whenever we ...
  • RE: Secure Network Design (DMZ, LAN, etc)
    ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
  • Re[3]: What can make DNS lookups slow? [semi-solved]
    ... My problem was that DNS lookups from and through my debian firewall ... My ISP's DNS servers are handing back replies from ... the machines inside the firewall, then I'd love to hear of it. ... # means that it queries the dmz server for everything ...