[unisog] High speed firewalls - Connections per second not bits per second

Chris Green cmgreen at uab.edu
Mon Feb 21 19:04:52 GMT 2005


On 2/21/05 10:40 AM, "Mayne, Jim" <J.Mayne at tcu.edu> wrote:

> 
> Currently TCU is using a Checkpoint FW1 NG AI firewall running on a
> Nokia platform in front of our RESNET network. We have begun to see more
> and more problems with the firewall dropping packets when we get a rash
> of infected machines. Nokia is now telling us that without their IP2250
> (Very expensive!) box they cannot handle over 1k connections per second
> when running FW1 (even with SecureXL and every other optimization they
> can think of). 1k cps is not much when you have even a few infected
> machines.
> 

I seem to recall someone adding a connection rate limiting per source IP on
some firewall product but I can't recall which one.  The problem you're
having is that the 1k cps is shared amongst all your users rather than
giving an individual IP his own right to kill his own connection.  This has
got to be a common problem for fw vendors these days.

In quick googling, I've seen hints that iptables and maybe very new
OpenBSD/pf support them.  Surely some commercial product also contains that
feature.

Cheers,
Chris




More information about the unisog mailing list