PF DDoS protection and a firewall: how much processing power is enough?

Good morning,
I’m currently scraping together parts for a FreeBSD based firewall for my home network. I host my personal website on my home network, so I’d like to have a good safety net for a firewall. Of course, filtering some basic stateless traffic consumes very little bandwidth, but I’m curious. If—God forbid—some script kiddie out there decides he wants to ruin my day and DDoS my home network, how much processing power should I give this firewall so it can safely discard all these bogus packets?

Thanks.
 
so it can safely discard all these bogus packets?
Blocking packets on your firewall isn't going to stop them from arriving in the first place. If someone manages to flood your internet connection there's very little you can do to change that.

And there's very little processing power involved to drop a packet. A big, complex, ruleset is what's going to use lots of processing power.
 
If someone manages to flood your internet connection there's very little you can do to change that.
Do modern script kiddies have enough bandwidth pushing power to overwhelm modern 10+GBit connections? Keep in mind, I’m just an average home user, I probably won’t be attacked very hard (if at all), I just would like a nice safety net.

And there's very little processing power involved to drop a packet. A big, complex, ruleset is what's going to use lots of processing power.
Well, then, the question shifts: what’s the best hardware for a decently complex PF firewall?
 
Do modern script kiddies have enough bandwidth pushing power to overwhelm modern 10+GBit connections? Keep in mind, I’m just an average home user, I probably won’t be attacked very hard (if at all), I just would like a nice safety net.
If you have a 1G pipe coming into you, then 2 people with 1G targeting that will overwhelm.
10G inbound? 11 people with 1G will overwhelm you.
A lot of the DDOS things now are distributed from the attack side.

Now, assuming you are behind an ISP of some sort instead of you actually having a direct connection, the ISP may handle/be on the hook to provide some mitigation of attacks.

Just keep in mind there is the physical layer (packets on the wire that hit your physical interface) and the "logical" layer where packets are trying to hit a specific port.
Physical layer not much you can do, packets hit you and drop or pass. If all you do is drop, the rest of your system can't get anything done.
Logical layer, they make it in just enough to hit a port or get rejected by a port, again, your system is processing packets to drop not doing anything useful.

I'm not sure what "best" hardware is, but there are commercial firewalls running on "small" systems (2 to 4G of RAM, middle of the road CPUs). Number of rules and connections tend to drive memory needs and ethernet interfaces tend to drive CPU (responding to interrupts for packets).
Take a look at hardware specs for PfSense and OpnSense to get an idea.

I think your case is basically a typical "SOHO" situation, most of the traffic is "originate from my network" (keep state) very little originating outside so it may not be as complex as you think.
 
what’s the best hardware for a decently complex PF firewall?
I'll give you an example; my own firewall. ASUS PRIME B660M-A; Intel Core i3-13100; 16 GB DDR4-2133. I can max out my 1Gbps fibre connection (up&down) and it barely registers the CPU load.
 
But in my defense the OP asking about script kiddies having enough bandwidth, my reply made sense
With a bit of crypto currency you can easily 'rent' bot nets nowadays. Even someone with zero knowledge can wield those weapons. It has become BaaS (Botnet as a Service) unfortunately.

Script kiddies are the least of your worries. Their attack profile sticks out like a sore thumb and are easily thwarted simply by keeping your systems up to date.

I host my personal website on my home network
Remember, you have to poke a hole in your firewall, or else your website won't be accessible at all. In other words, the firewall isn't going to protect you on layer 7. It doesn't do DPI (Deep Packet Inspection) and doesn't give a damn what happens above layer 4.
 
  • Like
Reactions: mer
Back
Top