> -----Original Message-----
> From: Hilton Travis [mailto:Hilton at QuarkAV dot com]
> Sent: Saturday, February 21, 2004 5:34 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Feature Request : Portscan block and Anti-
> DoS(butNO IDS)
> On Sun, 2004-02-22 at 09:02, Timothy Jans wrote:
> > From: "Hilton Travis" <Hilton at QuarkAV dot com>
> > > Hi Tim,
> > >
> > > On Sat, 2004-02-21 at 20:13, Timothy Jans wrote:
> > > > What I would like to see in M0n0wall is a Portscan blocker and
> > > > Anti-DoS which are adjustable in the Web interface
> > > > (because some services have none or bad anti-DoS protection).
> > >
> > > If you choose to run an insecure service behind your firewall,
> > > you are asking for trouble. It is the job of any service to be
> > > secure - the firewall cannot "know" what is running behind it and
> > > implement specific security measures based on the application
> > > running on a particular server/port. The firewall's job is to
> > > all traffic that you don't specifically allow through, so if you
> > > allow traffic to an internal DMZ or LAN server, then it is your
> > > and the job of the server itself, to ensure that it is secure.
> > >
> > > As for a portscan blocker, this is unnecessary. Portscanning a
> > > network is not illegal. Portscanning a network can cause no
> > > if you have a secure network only allowing required traffic in,
> > > if you are running secured servers internally that are listening
> > > for this traffic.
> > >
> > > > I do not mean a IDS like Snort because they do not actually
> > > > in a firewall.
> > > > (are too heavy (embedded systems), are too complicated (bugs)
> > > > I do not actually beleave in them...)
> > >
> > > I don't see how you cannot believe in a legitimate security tool
> > > such as an IDS yet want illegitimate "tools" such as anti-DOS and
> > > portscan-blocker features in a firewall.
> > >
> > > As you hinted at, running any unnecessary services on a firewall
> > > asking for trouble. This is half the reason there's no snort (or
> > > other IDS) on m0n0wall - the other reason is that this is an
> > > inappropriate place for such a tool - inside the firewall is where
> > > these belong. Adding these esoteric functions you asked about to
> > > m0n0wall will do close to nothing for your security, will add to
> > > the code-base on the firewall (therefore add to its susceptability
> > > to vulnerability), and add to the load the firewall places on its
> > > hardware. None of these are advantages.
> > Thanks for the answer.
> > But would it not be more wise to block a flood attack at the
> > (limiting the number of connections per IP, etc...)
> > Or am I thinking wrong here?
> There is no possible way to limit the number of connection attempts
> IP at the firewall. For the firewall to be able to detect a
> attempt, the connection attempt has to actually make it to the
> firerwall. The traffic has already reached your network, and the
> bandwidth is already used. Therefore, blocking DDoS attacks (or flood
> attacks) at a firewall on your network is entirely ineffective. To be
> effective, they need to be blocked at (or preferably before) your ISP.
> As I mentioned before, it is not the firewall's job to know what
> services you are running internally, it is the firewall's job to block
> all traffic that you have not specifically allowed through to your
> DMZ/LAN. It is the job of the server to determine what sort of
> is appropriate to accept, not the firewall. I can run any service I
> like on any port I choose. Some require many connection attempts,
> require few. Yet others require none. For a firewall to keep track
> all this additional information and also they types of connection
> requests would place a load on the firewall beyond what most m0n0wall
> hardware could handle. You'd need a P4 for your firewall, not a
> Pentium. Also, the process would not truly be effective, as any
> to the server - upgated, bug fixes, etc - may mean that you now need
> reconfigure the firewall for that particular port/service, increasing
> the complexity of your network, therefore increasing the likelihood
> something gets configured incorrectly and breaks.
> Hilton Travis Phone: +61-(0)7-3343-3889
> Manager, Quark AudioVisual Phone: +61-(0)419-792-394
> Quark Computers http://www.QuarkAV.com/
> (Brisbane, Australia) http://www.QuarkAV.net/
> Open Source Projects: http://www.ares-desktop.org/
> Non Linear Video Editing Solutions & Digital Audio Workstations
> Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
> Conference and Seminar AudioVisual Production and Recording
> War doesn't determine who is right. War determines who is left.
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
While the malicious incoming packets have already used your connection
bandwidth, one could limit/prevent outgoing packets (say ACKs or other
packets pointing to the source IPs for instance) that'd further congest
the network. (Hence anti-DoS and not DoS prevention or protection.)