Yep. I see a lot of crazy stuff on my FreeBSD firewall logs. There are some which clearly reflect bots or zombies, because I get the same IP every second or two, usually hitting the same few ports. Right now the number one target is port 445. I suppose the major advantage to BSD, and Linux of course, is the lack of paranoia about the firewall and virus attacks. Under Windows, I always sweat that because I can’t afford a hardware firewall, and software firewalls are far from impervious.

I’m still nervous, simply because I figure a determined hacker will find a way eventually, but I agree. Do you use some kind of Brute Force blocking mechanism or just let them fire away?

A proper kernel-based firewall simply ignores the packets — they are routed to /dev/null. For attacks to have any effect, they have to be processed through the kernel, and it knows to ignore them. My filtering rules are provided by someone who understands this stuff better than I, but it includes stateful packet inspection, etc. So I just let them packet away at me. Nothing I can do anyway. My system ignores it as it does all the other packets routed to some other IP. Linux firewalls are supposed to work that way, too.

Oops, forget to check the context of your question. In Windows, there’s nothing I can do there either. Software firewalls process the packets for the kernel, and can be made to fail, as has happened in the past. My previous comment was for FreeBSD.

Make sense. How does that help with valid packets, though? For example, the aforementioned brute force attempts are valid attempts to login to SSH… they are merely trying random username/password combinations to do so.

On a desktop FreeBSD system, I have the luxury of turning off SSH. The one and only user has full access to the hardware at all times, and the install CD for FreeBSD includes boot-n-fix tools. On Windows, only NT-based versions offer SSH login, I believe. WinMe and earlier was only superficially multi-user, and just getting a response via connection was all it ever took. I’m guessing our only hope is to maintain the policy of very difficult-to-guess passwords. You’ll recall mine is pretty obscure, and subject to change soon. As long as there are no accounts with weak passwords, only an application vulnerability will allow them access. Kernel-based firewalls are the champ there. You can make DENY the default, and prevent vulnerable apps from responding.

Though I understand the theory, I have insufficient knowledge of traffic realities (what to block, how and why) to understand writing firewall rules. I find firewall instructions just too obscure for my artsy brain.