Firewall on Teardrop Attack!!! Post: 302454435

7 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Bruteforce attack on my pc

since putting my pc online, it keeps getting slower and i dig the logfile to have such a surprise: this is just one of a many and I beleived it's a bruteforce attack how do i block this IP 200.41.81.228 from trying to knock my online pc? my system: FreeBSD testing.net 6.2-STABLE-JE...

2. Cybersecurity

Replay Attack

REPLAY ATTACK. Can some one elobrate on measures to encounter this problem of replay atack on network.

3. Cybersecurity

What I think is a DoS attack

About 3 days ago our Apache logs started filling with the following errors: mod_ssl: SSL handshake failed (server <weberver>:443, client 41.235.234.172) (OpenSSL library error follows) OpenSSL: error:1408A0B7:SSL routines:SSL3_GET_CLIENT_HELLO:no ciphers specified These initially were...

4. Cybersecurity

Found attack from

Hi, I have a belkin router installed and a look at the security log has got me worried a little bit. Security log: Fri Jan 29 20:41:46 2010 =>Found attack from 68.147.232.199. Source port is 58591 and destination port is 12426 which use the TCP protocol. Fri Jan 29 20:41:46 2010 ...

5. Cybersecurity

Network attack - so what?

In my logs I find entries about attacks on my system. I know IP addresses, I know date and time and I know what they tried to do. So what's the best I can do now? Tell everybody that there are cybercriminals on that network? Write an email to their admin? Anything else?

6. Cybersecurity

UUCP attack?

Is this an attack attempt? I got an e-mail from 'uucp Admin' last night and again this morning: What does it mean and what can I do about it? Thanks

7. Emergency UNIX and Linux Support

DDOS attack please help!

Dear community, my site was recently attacjed by DDOS technique and goes down in a few minutes. My site runs under Debian/Apache2/Mysql. I identified the IPs who attack me and block it through iptable firewall from debian. Something like: iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP This...

LEARN ABOUT PLAN9

pfsync

PFSYNC(4)						   BSD Kernel Interfaces Manual 						 PFSYNC(4)

NAME

     pfsync -- packet filter state table logging interface

SYNOPSIS

     device pfsync

DESCRIPTION

     The pfsync interface is a pseudo-device which exposes certain changes to the state table used by pf(4).  If configured with a physical syn-
     chronisation interface, pfsync will send state changes out on that interface using IP multicast, and insert state changes received on that
     interface from other systems into the state table.

     By default, all local changes to the state table are exposed via pfsync.  However, state changes from packets received by pfsync over the
     network are not rebroadcast.  States created by a rule marked with the no-sync keyword are omitted from the pfsync interface (see pf.conf(5)
     for details).

     The pfsync interface will attempt to collapse multiple updates of the same state into one message where possible.	The maximum number of
     times this can be done before the update is sent out is controlled by the maxupd parameter to ifconfig (see ifconfig(8) and the example below
     for more details).

     Each packet retrieved on this interface has a header associated with it of length PFSYNC_HDRLEN.  The header indicates the version of the
     protocol, address family, action taken on the following states, and the number of state table entries attached in this packet.  This struc-
     ture is defined in <net/if_pfsync.h> as:

	   struct pfsync_header {
		   u_int8_t version;
		   u_int8_t af;
		   u_int8_t action;
		   u_int8_t count;
	   };

NETWORK SYNCHRONISATION

     States can be synchronised between two or more firewalls using this interface, by specifying a synchronisation interface using ifconfig(8).
     For example, the following command sets fxp0 as the synchronisation interface:

	   # ifconfig pfsync0 syncdev fxp0

     It is important that the underlying synchronisation interface is up and has an IP address assigned.

     By default, state change messages are sent out on the synchronisation interface using IP multicast packets.  The protocol is IP protocol 240,
     PFSYNC, and the multicast group used is 224.0.0.240.  When a peer address is specified using the syncpeer keyword, the peer address is used
     as a destination for the pfsync traffic, and the traffic can then be protected using ipsec(4).  In such a configuration, the syncdev should
     be set to the enc(4) interface, as this is where the traffic arrives when it is decapsulated, e.g.:

	   # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0

     It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would be trivial to spoof pack-
     ets which create states, bypassing the pf ruleset.  Either run the pfsync protocol on a trusted network - ideally	a network dedicated to
     pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with ipsec(4).

     For pfsync to start its operation automatically at the system boot time, pfsync_enable and pfsync_syncdev variables should be used in
     rc.conf(5).  It is not advisable to set up pfsync with common network interface configuration variables of rc.conf(5) because pfsync must
     start after its syncdev, which cannot be always ensured in the latter case.

EXAMPLES

     pfsync and carp(4) can be used together to provide automatic failover of a pair of firewalls configured in parallel.  One firewall handles
     all traffic - if it dies or is shut down, the second firewall takes over automatically.

     Both firewalls in this example have three sis(4) interfaces.  sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 is the internal
     interface, on the 192.168.0.0/24 subnet; and sis2 is the pfsync interface, using the 192.168.254.0/24 subnet.  A crossover cable connects the
     two firewalls via their sis2 interfaces.  On all three interfaces, firewall A uses the .254 address, while firewall B uses .253.  The inter-
     faces are configured as follows (firewall A unless otherwise indicated):

     Interfaces configuration in /etc/rc.conf:

	   network_interfaces="lo0 sis0 sis1 sis2"
	   cloned_interfaces="carp0 carp1"
	   ifconfig_sis0="10.0.0.254/24"
	   ifconfig_sis1="192.168.0.254/24"
	   ifconfig_sis2="192.168.254.254/24"
	   ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24"
	   ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24"
	   pfsync_enable="YES"
	   pfsync_syncdev="sis2"

     pf(4) must also be configured to allow pfsync and carp(4) traffic through.  The following should be added to the top of /etc/pf.conf:

	   pass quick on { sis2 } proto pfsync
	   pass on { sis0 sis1 } proto carp

     If it is preferable that one firewall handle the traffic, the advskew on the backup firewall's carp(4) interfaces should be set to something
     higher than the primary's.  For example, if firewall B is the backup, its carp1 configuration would look like this:

	   ifconfig_carp1="vhid 2 pass bar advskew 100 192.168.0.1/24"

     The following must also be added to /etc/sysctl.conf:

	   net.inet.carp.preempt=1

BUGS

     Possibility to view state changes using tcpdump(1) has not been ported from OpenBSD yet.

SEE ALSO

     bpf(4), carp(4), ifconfig(8), inet(4), inet6(4), ipsec(4), netintro(4), pf(4), pf.conf(5), protocols(5), rc.conf(5) ifconfig(8), ifstated(8),
     tcpdump(8)

HISTORY

     The pfsync device first appeared in OpenBSD 3.3.  The pfsync device was imported to FreeBSD 5.3.

BSD
								   June 6, 2006 							       BSD