From owner-freebsd-net@FreeBSD.ORG  Wed Sep 15 14:00:06 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C54E916A4CE
	for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 14:00:06 +0000 (GMT)
Received: from vineyard.net (k1.vineyard.net [204.17.195.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 92BD543D31
	for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 14:00:06 +0000 (GMT)
	(envelope-from ericx_lists@vineyard.net)
Received: from localhost (loopback [127.0.0.1])
	by vineyard.net (Postfix) with ESMTP id 55C4D91664;
	Wed, 15 Sep 2004 10:00:05 -0400 (EDT)
Received: from vineyard.net ([127.0.0.1])
 by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 71420-01-62; Wed, 15 Sep 2004 10:00:05 -0400 (EDT)
Received: from vineyard.net (cheesenip.vineyard.net [204.17.195.113])
	by vineyard.net (Postfix) with ESMTP id 1E0FD91626;
	Wed, 15 Sep 2004 10:00:05 -0400 (EDT)
Message-ID: <41484AE4.30709@vineyard.net>
Date: Wed, 15 Sep 2004 10:00:04 -0400
From: "Eric W. Bates" <ericx_lists@vineyard.net>
User-Agent: Mozilla Thunderbird 0.5 (X11/20040208)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Sten Spans <sten@blinkenlights.nl>
References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org>
	<B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org>
	<Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl>
In-Reply-To: <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET
cc: freebsd-net@freebsd.org
Subject: Re: To many dynamic rules created by infected machine
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2004 14:00:06 -0000



Sten Spans wrote:

> 
> What about:
> 
> ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
> ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4
> 
> To limit the amount of evil connections, place above the regular
> keep-state rule.
> 
> 

That looks good.  I should have RTFM.

Is it reasonable to try something like:

ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100

Anyone ever figured out what the average/max number of simultaneous 
dynamic rules needed to support an http session?

I'm not going to allow the 137-139,445 ports out (no need for file 
sharing when repairing these things). But I'm going to have to allow 80, 
443, whatever Norton, spybot, adaware, etc. use for their database updates.

----

The default (FBSD 4.9, ipfw 2) number of rules max seems to be 4096.

net.inet.ip.fw.dyn_max: 4096

Is it reasonable to pump this number up?

--
Eric W. Bates