Date: Wed, 15 Sep 2004 10:00:04 -0400 From: "Eric W. Bates" <ericx_lists@vineyard.net> To: Sten Spans <sten@blinkenlights.nl> Cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine Message-ID: <41484AE4.30709@vineyard.net> In-Reply-To: <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl> References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org> <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Sten Spans wrote: > > What about: > > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4 > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4 > > To limit the amount of evil connections, place above the regular > keep-state rule. > > That looks good. I should have RTFM. Is it reasonable to try something like: ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100 Anyone ever figured out what the average/max number of simultaneous dynamic rules needed to support an http session? I'm not going to allow the 137-139,445 ports out (no need for file sharing when repairing these things). But I'm going to have to allow 80, 443, whatever Norton, spybot, adaware, etc. use for their database updates. ---- The default (FBSD 4.9, ipfw 2) number of rules max seems to be 4096. net.inet.ip.fw.dyn_max: 4096 Is it reasonable to pump this number up? -- Eric W. Bates
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41484AE4.30709>