Hi all
i want to protect my server from DDOS attack and i want to set the firewall good to protect it from that

thanks

nobody ?

Because your local network topology, services, access requirements are going to vary from network to network, there really is no such thing as the *best* firewall. And more specifically the effects of dDOS attacks can be extremely hard to control for the end-user. Usually you'll get the best results by contacting your ISP and have them block traffic at the upstream routers. That being said, there are some things you can do to manage small scale dDOS attacks:

Turn on tcp_syncookies:

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Configure your firewall to drop packets after a certain threshold is reached using the --limit and --limit-burst options (check out the iptables man page or the netfilter documentation at www.netfilter.org). You'll have to play around with the limit to find the right setting so that your not dropping legitimate packets. Keep in mind that when it comes to a serious dDOS attack that consumes significant bandwidth, neither of those will do much good and working with your ISP is really the best options

By the way, the correct acronym is DDoS

There are lots of different types of DDoS attacks. The most common these days is a simple SYN flood that exhausts the amount of buffers available to hold half-open connections. It can be mitigated by turning on syncookies (on Linux) or synproxy (on some other OSs, such as OpenBSD) to handle SYN requests more intelligently. You can also increase the amount of buffers available for half-open connections and decrease the time-out period to expire them.

See this site for more information.

There are also other types of DDoS attacks, such as simple ICMP floods that fill up all your bandwidth (which is the old-style PING flood), smurf attacks, and much more complicated schemes that generally go beyond the scope of such a simple question.

A packet filter firewall will be able to help with some of them, but any DoS that operates by filling your network bandwidth will still incapacitate you if your ISP cannot provide assistence. A common manifestation of this is the "Slashdot" syndrom, where a site with a small amount of bandwidth becomes linked by Slashdot.org and the sheer amount of incoming HTTP requests overwhelms it.