Date: Wed, 15 Sep 2004 23:08:15 +0200 (CEST) From: Sten Spans <sten@blinkenlights.nl> To: "Eric W. Bates" <ericx_lists@vineyard.net> Cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine Message-ID: <Pine.SOL.4.58-Blink.0409152302340.16703@tea.blinkenlights.nl> In-Reply-To: <41484AE4.30709@vineyard.net> References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org> <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl> <41484AE4.30709@vineyard.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 15 Sep 2004, Eric W. Bates wrote: > > > Sten Spans wrote: > > > > > What about: > > > > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4 > > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4 > > > > To limit the amount of evil connections, place above the regular > > keep-state rule. > > > > > > That looks good. I should have RTFM. > > Is it reasonable to try something like: > > ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100 > > Anyone ever figured out what the average/max number of simultaneous > dynamic rules needed to support an http session? Normally a http request is one tcp connection, some browsers open more connections to speed things up. You could add special rules for avupdate-host.norton.com or somesuch. An even better solution would be a (transparent) proxy setup, with allow rules for *.norton.com in the proxy software. The kind of restrictions you are trying to enforce are quite a bit easier achieve with propper userland proxy software. -- Sten Spans "There is a crack in everything, that's how the light gets in." Leonard Cohen - Anthem
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.58-Blink.0409152302340.16703>