From owner-freebsd-net@FreeBSD.ORG  Wed Sep 15 12:59:55 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2EBB416A4CE
	for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 12:59:55 +0000 (GMT)
Received: from ford.blinkenlights.nl (ford.blinkenlights.nl [213.204.211.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B3FC043D68
	for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 12:59:54 +0000 (GMT)
	(envelope-from sten@blinkenlights.nl)
Received: from tea.blinkenlights.nl (tea.blinkenlights.nl [192.168.1.8])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ford.blinkenlights.nl (Postfix) with ESMTP id C72533E43E;
	Wed, 15 Sep 2004 14:59:52 +0200 (CEST)
Received: by tea.blinkenlights.nl (Postfix, from userid 101)
	id 546A529B; Wed, 15 Sep 2004 14:59:52 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by tea.blinkenlights.nl (Postfix) with ESMTP
	id 4C763285; Wed, 15 Sep 2004 14:59:52 +0200 (CEST)
Date: Wed, 15 Sep 2004 14:59:52 +0200 (CEST)
From: Sten Spans <sten@blinkenlights.nl>
To: Pat Lashley <patl+freebsd@volant.org>
In-Reply-To: <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org>
Message-ID: <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl>
References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org>
	<B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: "Eric W. Bates" <ericx_lists@vineyard.net>
cc: freebsd-net@freebsd.org
cc: Julian Elischer <julian@elischer.org>
Subject: Re: To many dynamic rules created by infected machine
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2004 12:59:55 -0000

On Tue, 14 Sep 2004, Pat Lashley wrote:

> --On Tuesday, September 14, 2004 20:59:43 -0400 "Eric W. Bates" <ericx_lists@vineyard.net> wrote:
>
> > It's a small store.  Folks with broken computers bring the
> > machines in because "It doesn't work". They usually don't
> > know what is wrong with any given machine; and they try to
> > be careful (remove the hard drive and attempt to clean it
> > first); but eventually there is a need to put the machine
> > on line and try to update Norton's virus list.
>
> Befoe bringing it on-line, why not mount the disk on a FreeBSD
> machine and run ClamAV over all the files?  It's not guaranteed
> to catch everything; but it should at least reduce the window.
>
> You could also consider setting it up so that the initial
> reconnection is on a separate cable going through a firewall
> that -only- allows the connections necessary to update the
> Norton virus list.  Once it is updated, unplug it from the
> network, run the virus check, and only then plug it into
> your main LAN.
>

What about:

ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4

To limit the amount of evil connections, place above the regular
keep-state rule.


-- 
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem