Hello everyone, is a pleasure to be here. I have a problem with my server, it runs qmail SMTP and protect it with shorewall. Since yesterday I get syn flood attacks on port 25, which means that no longer meet. How can I stop this with shorewall? my setup is as follows. zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks dmz DMZ Demilitarized zone interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,blacklist,routefilter policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST (we must put here?) loc net ACCEPT $FW net ACCEPT net all DROP info all all REJECT info rules: # MailServer ACCEPT net $FW tcp 25 ACCEPT net $FW tcp 110 ACCEPT net $FW tcp 143 ACCEPT net $FW tcp 993 ACCEPT net $FW tcp 995 ACCEPT net $FW tcp 465 Thank you for listening. greetings! Lucas ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Lucas Frazzetto wrote:> Hello everyone, is a pleasure to be here. > I have a problem with my server, it runs qmail SMTP and protect it with > shorewall. Since yesterday I get syn flood attacks on port 25, which > means that no longer meet. How can I stop this with shorewall?You can''t stop it -- you can only cause excess syn packets to be dropped.>> > policy: > #SOURCE DEST POLICY LOG LEVEL > LIMIT:BURST (we must put here?)Yes -- in your net->all policy. It would also be a good idea to put this in your /etc/shorewall/start file: echo 1 > /proc/sys/net/ipv4/tcp_syncookies -Tom> loc net ACCEPT > $FW net ACCEPT > net all DROP info > all all REJECT info-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Jun 2, 2008 at 2:23 PM, Tom Eastep <teastep@shorewall.net> wrote:> Lucas Frazzetto wrote: > >> Hello everyone, is a pleasure to be here. >> I have a problem with my server, it runs qmail SMTP and protect it with >> shorewall. Since yesterday I get syn flood attacks on port 25, which means >> that no longer meet. How can I stop this with shorewall? >> > > You can''t stop it -- you can only cause excess syn packets to be dropped. > > >> > >> policy: >> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >> (we must put here?) >> > > Yes -- in your net->all policy. It would also be a good idea to put this in > your /etc/shorewall/start file: > > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > -Tom > > loc net ACCEPT >> $FW net ACCEPT >> net all DROP info >> all all REJECT info >> > > -Tom >I saw some more settings (using iptables and echos in /proc) in this post: http://www.webhostingtalk.com/archive/index.php/t-355411.html Is the above single setting enough to minimize Syn Flood Attack or some settings in this post can improve this measure ? -Gilson ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Gilson Soares wrote:> > I saw some more settings (using iptables and echos in /proc) in this > post: http://www.webhostingtalk.com/archive/index.php/t-355411.html > Is the above single setting enough to minimize Syn Flood Attack or some > settings in this post can improve this measure ?That sounds like an excellent topic for you to research, Gilson. We will look forward to your report. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> You can't stop it -- you can only cause excess syn packets to be dropped. >Yeah, that's really the job of his ISP. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users