Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Antwort: Re: FW: [suse-security] optimal kernel config for firewall gateway ?
  • From: Michael.Heiming@xxxxxxxx
  • Date: Wed, 16 Jan 2002 16:03:35 +0100
  • Message-id: <41256B43.00581906.00@xxxxxxxxxxxxxxxxx>




Tel : unbekannt / Fax : unbekannt


|--------+----------------------->
| | Roman |
| | Drahtmueller |
| | <draht@xxxxxx|
| | e> |
| | |
| | 16.01.2002 |
| | 15:38 |
| | |
|--------+----------------------->
>----------------------------------------------------------------------------|
| |
| An: Thomas Schmidt <ts@xxxxxxxx> |
| Kopie: suse-security@xxxxxxxx, (Blindkopie: Michael Heiming/OAO |
| HVD/EPLUS/DE) |
| Thema: Re: FW: [suse-security] optimal kernel config for firewall |
| gateway ? |
>----------------------------------------------------------------------------|







>
> It´s true, that you can use a 486 for Firewall, but a prefer to a P-II
> or AMD K6-2 as minium requieremnt for 1 Mbit. The problem ist not the
> traffic, but the syslog. We have serveral costumers, who are connected
> with 2 mbit. If someone portscan your system or tries an dos-attack,
> increased your system load dramaticly and the traffic stops :(

Nah...

The syslog.conf manpage states that if a logfile is preceded with a "-"
(like in

*.* -/var/log/allmessages

), then the syslogd will not call fsync() after a write() to this file.
By consequence, the load will remain small.

Generally, it's a good idea to fsync() all logfiles especially if
something really urgent has been logged (like a failing disk). Typically,
such logs are from the kernel, which leads to believe that all kernel logs
should be synced at once. Unfortunately, firewall messages are kernel logs
as well, and then you have to change the perspective. If your syslogd
takes to much time to sync the data to disk, the kernel messages
ringbuffer (/proc/kmsg) might overflow and some messages might geht lost.

I would prefer to setup remote sysloging on a firewall, that may give some
additional security
and perhaps solve this problem.

Regards

Michael Heiming
< Previous Next >
This Thread
  • No further messages