RE: iptables

To: Anders Gjare <Anders@oslo.kvalito.no>
Cc: Vineet Kumar <debian-security@virtual.doorstop.net>, <debian-firewall@lists.debian.org>
Subject: RE: iptables
From: Tzafrir Cohen <tzafrir@technion.ac.il>
Date: Fri, 22 Jun 2001 21:42:36 +0300 (IDT)
Message-id: <Pine.GSO.4.33_heb2.09.0106222128000.1218-100000@techunix.technion.ac.il>
In-reply-to: <010B55064719D511AEBD0050048803620D3359@sekunda5.oslo.kvalito.no>

On Fri, 22 Jun 2001, Anders Gjare wrote:

> the main reason for the firewall/router is to have the ability to block
> spesified ip/ip-classes.
>
> we have a problem of beeing ddos'ed, and whith a firewall like this we
> could block the traffick before it enters our network at the office.

You will block it before it enters your network, but not before it
saturate the line from your ISP.

That cannot be done at your end, and has to be done at your ISP's side.

>
> i dont think bridge would work so good, atleast not later when we
> upgrade the box.
> currently there are 5 100mbit nic, and later there will be 1 1gbps and 4
> 100mbit nic.

Are those NICs in seperate subnets?

>
> so there must be a solution that accepts the ip-klass from the inside
> network, and routeit through the firewall.

If it is a bridge, then you can (and should) have a seperate router. If
you want the box to also do routing, then it should probably not be a
bridge...

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir

Reply to:

References:
- RE: iptables
  - From: "Anders Gjare" <Anders@oslo.kvalito.no>

Prev by Date: RE: iptables
Next by Date: Hacked??
Previous by thread: RE: iptables
Next by thread: [OT]pptp + devfs
Index(es):
- Date
- Thread