From owner-freebsd-net@FreeBSD.ORG Wed Sep 15 21:08:17 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3CFB16A4CE for ; Wed, 15 Sep 2004 21:08:17 +0000 (GMT) Received: from ford.blinkenlights.nl (ford.blinkenlights.nl [213.204.211.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DEB143D2F for ; Wed, 15 Sep 2004 21:08:17 +0000 (GMT) (envelope-from sten@blinkenlights.nl) Received: from tea.blinkenlights.nl (tea.blinkenlights.nl [192.168.1.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ford.blinkenlights.nl (Postfix) with ESMTP id 5E56A3E43E; Wed, 15 Sep 2004 23:08:16 +0200 (CEST) Received: by tea.blinkenlights.nl (Postfix, from userid 101) id E9CF229B; Wed, 15 Sep 2004 23:08:15 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by tea.blinkenlights.nl (Postfix) with ESMTP id E54C8285; Wed, 15 Sep 2004 23:08:15 +0200 (CEST) Date: Wed, 15 Sep 2004 23:08:15 +0200 (CEST) From: Sten Spans To: "Eric W. Bates" In-Reply-To: <41484AE4.30709@vineyard.net> Message-ID: References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> <41484AE4.30709@vineyard.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 21:08:17 -0000 On Wed, 15 Sep 2004, Eric W. Bates wrote: > > > Sten Spans wrote: > > > > > What about: > > > > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4 > > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4 > > > > To limit the amount of evil connections, place above the regular > > keep-state rule. > > > > > > That looks good. I should have RTFM. > > Is it reasonable to try something like: > > ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100 > > Anyone ever figured out what the average/max number of simultaneous > dynamic rules needed to support an http session? Normally a http request is one tcp connection, some browsers open more connections to speed things up. You could add special rules for avupdate-host.norton.com or somesuch. An even better solution would be a (transparent) proxy setup, with allow rules for *.norton.com in the proxy software. The kind of restrictions you are trying to enforce are quite a bit easier achieve with propper userland proxy software. -- Sten Spans "There is a crack in everything, that's how the light gets in." Leonard Cohen - Anthem