Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

Josh Brooks user at mail.econolodgetulsa.com
Thu Jan 16 23:17:44 UTC 2003



I am looking for comments and suggestions regarding the merits of
purpose-built, appliance style firewalls (like a netscreen or Cisco PIX)
vs. running ipfw on a commodity server running FreeBSD.  I am interested
only in packet filtering and rate limiting performance - NOT in VPNs or
IPsec/crypto considerations.

---

Currently, I run a FreeBSD firewall running ipfw (500 mhz celeron, 256
mags ram).  This machine does nothing - runs no services but ssh, and
simply sits at my network border doing packet filtering.  I have a lot of
hosts (four /24s - about 500 active IPs) behind this firewall, and
generally push 5-7 megabits/s.  Sometimes it can go as high as 12.  The
point is, the box is always fine and I am happy with it.

Recently I have started getting more and more DoS and DDoS attacks.  They
range from very simple syn floods to ICMP echo floods to very odd UDP
floods.

The problem I am running into is simply that my firewall CPU chokes.  It
is not because the traffic is high - the line does not become saturdated,
and sometimes total traffic can be less than 5 megabits/s - BUT the
packets/s count goes way up (sometimes by a factor of 50) and because all
of these packets have to go through my entire ruleset, the firewalls CPU
chokes.  It does not crash, it simply stops forwarding any traffic,
effectively blackholing my entire network.  As soon as the attack is
stopped, the firewall is fine.

---

I have responded by doing a ton of research, testing, reading ... and so
on.  Blocking obviously bad packets, rate limiting ICMP echo responses,
rate limiting TCP RSTs - I admit I have a long way to go before I exhaust
the bags of tricks that people have to improve their FreeBSD+ipfw
firewalls.  But every time I improve the ruleset, something new comes
along - something that gets through the nets and once again, I have some
weird attack at 12-15K packets/second traversing all 400 of my firewall
rules (because they don't match anything until the end when they are
allowed through) and choking my firewall up.

It is very frustrating because the attacks are small in terms of bandwidth
- never more than 10 megabits/s.  It is simply too many packets/s and not
a sophisticated enough ruleset to keep the high-rate garbage from
traversing every rule.

---

So my questions are as follows:

1. Am I wasting my time trying to make my FreeBSD+ipfw firewall more
resilient and sophisticated ?  Again, I have probably only scratched the
surface, but let's say I emerge from my office 12 months from now having
memorized the ipfw source code and having learned _everything_ there is to
learn about this problem - will I simply conclude that FreeBSD+ipfw is not
good enough and I just need to go get an appliance ?

2. I happen to like a host-based firewall (a firewall running on a normal
user OS like FreeBSD) better than an appliance.  You get to do anything
you need with it, you have a full compliment of unix tools like grep and
awk and tcpdump and expect, etc. - it seems like you have more control.
Assuming (for a moment) that performance were equal, does anyone else feel
this way ?  Does anyone else prefer a normal system for a firewall over,
say, a PIX ?

3. I am not that high profile ... but what do the high profile (shell
servers like foonet and EFnet irc server operators) people use ?  Would
any of those people consider even for a moment using a FreeBSD+ipfw system
for their packet filtering and rate shaping ?

I just want to know if I should give up now and shell out a few grand for
an appliance, or if it is reasonable for me to attempt to protect a
network of my size.

Thank you very much.




More information about the NANOG mailing list