From owner-freebsd-net@FreeBSD.ORG Wed Sep 15 14:00:06 2004 Return-Path: <owner-freebsd-net@FreeBSD.ORG> Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C54E916A4CE for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 14:00:06 +0000 (GMT) Received: from vineyard.net (k1.vineyard.net [204.17.195.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92BD543D31 for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 14:00:06 +0000 (GMT) (envelope-from ericx_lists@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by vineyard.net (Postfix) with ESMTP id 55C4D91664; Wed, 15 Sep 2004 10:00:05 -0400 (EDT) Received: from vineyard.net ([127.0.0.1]) by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 71420-01-62; Wed, 15 Sep 2004 10:00:05 -0400 (EDT) Received: from vineyard.net (cheesenip.vineyard.net [204.17.195.113]) by vineyard.net (Postfix) with ESMTP id 1E0FD91626; Wed, 15 Sep 2004 10:00:05 -0400 (EDT) Message-ID: <41484AE4.30709@vineyard.net> Date: Wed, 15 Sep 2004 10:00:04 -0400 From: "Eric W. Bates" <ericx_lists@vineyard.net> User-Agent: Mozilla Thunderbird 0.5 (X11/20040208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sten Spans <sten@blinkenlights.nl> References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org> <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl> In-Reply-To: <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net> List-Post: <mailto:freebsd-net@freebsd.org> List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 15 Sep 2004 14:00:06 -0000 Sten Spans wrote: > > What about: > > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4 > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4 > > To limit the amount of evil connections, place above the regular > keep-state rule. > > That looks good. I should have RTFM. Is it reasonable to try something like: ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100 Anyone ever figured out what the average/max number of simultaneous dynamic rules needed to support an http session? I'm not going to allow the 137-139,445 ports out (no need for file sharing when repairing these things). But I'm going to have to allow 80, 443, whatever Norton, spybot, adaware, etc. use for their database updates. ---- The default (FBSD 4.9, ipfw 2) number of rules max seems to be 4096. net.inet.ip.fw.dyn_max: 4096 Is it reasonable to pump this number up? -- Eric W. Bates