From owner-freebsd-net@FreeBSD.ORG Wed Sep 15 00:59:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F49D16A4CE for ; Wed, 15 Sep 2004 00:59:48 +0000 (GMT) Received: from vineyard.net (k1.vineyard.net [204.17.195.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AC9343D3F for ; Wed, 15 Sep 2004 00:59:48 +0000 (GMT) (envelope-from ericx_lists@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by vineyard.net (Postfix) with ESMTP id 85F2791531; Tue, 14 Sep 2004 20:59:47 -0400 (EDT) Received: from vineyard.net ([127.0.0.1]) by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 04335-01-68; Tue, 14 Sep 2004 20:59:47 -0400 (EDT) Received: from [204.128.227.60] (dhcp060.ericx.net [204.128.227.60]) by vineyard.net (Postfix) with SMTP id 4AF9A91527; Tue, 14 Sep 2004 20:59:47 -0400 (EDT) Message-ID: <414793FF.3000008@vineyard.net> Date: Tue, 14 Sep 2004 20:59:43 -0400 From: "Eric W. Bates" User-Agent: Mozilla Thunderbird 0.7.3 (Macintosh/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Julian Elischer References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> In-Reply-To: <41473EF6.8030201@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 00:59:48 -0000 Julian Elischer wrote: > how about preceeding the keep-state rule with some specific rules > against that machine.. > (or turning it off)? what KIND of sweep? > It's a small store. Folks with broken computers bring the machines in because "It doesn't work". They usually don't know what is wrong with any given machine; and they try to be careful (remove the hard drive and attempt to clean it first); but eventually there is a need to put the machine on line and try to update Norton's virus list. Over the weekend a less savvy staffer was working on a laptop with some infection or other (the machine does not have a tcpdump store running so I don't know exactly what happened). The firewall started to fail because of the overwhelming number of dynamic rules created; and he did not connect the customer's machine on the workbench with their problem (he rebooted the FreeBSD machine...). I'm guessing it had Sasser (or similar) and it was attempting to open up connections to: 199.x.x.1 : 445 199.x.x.2 : 445 199.x.x.3 : 445 199.x.x.4 : 445 ... There is a dhcp server passing out address to the "bench" network; so if there is a way to limit the number of dynamic rules created, I can apply it to that IP range easily enough. > > > Eric W. Bates wrote: > >> Friends run an IT business and I helped build them a firewall using >> ipfw. >> >> The box has multiple interfaces; one of which is untrusted and it is >> where they put suspect machines (customer boxes with high likelihood >> of viruses and other evil Windoze ailments). >> >> Their network is well protected; however there is now an inadvertent >> DOS when a particularly virulent machine performs a sweep attack on >> some block of IP, because we have a check-state/keep-state. >> >> Sep 11 16:00:01 hostname /kernel: ipfw: install_state: >> Too many dynamic rules >> >> Is there a way to limit the number of rules a given host can create >> in x number of minutes? >> >> >> Thanks for your time. >> -- >> Eric W. Bates >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >