From owner-freebsd-net@FreeBSD.ORG  Wed Sep 15 21:08:17 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D3CFB16A4CE
	for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 21:08:17 +0000 (GMT)
Received: from ford.blinkenlights.nl (ford.blinkenlights.nl [213.204.211.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8DEB143D2F
	for <freebsd-net@freebsd.org>; Wed, 15 Sep 2004 21:08:17 +0000 (GMT)
	(envelope-from sten@blinkenlights.nl)
Received: from tea.blinkenlights.nl (tea.blinkenlights.nl [192.168.1.8])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ford.blinkenlights.nl (Postfix) with ESMTP id 5E56A3E43E;
	Wed, 15 Sep 2004 23:08:16 +0200 (CEST)
Received: by tea.blinkenlights.nl (Postfix, from userid 101)
	id E9CF229B; Wed, 15 Sep 2004 23:08:15 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by tea.blinkenlights.nl (Postfix) with ESMTP
	id E54C8285; Wed, 15 Sep 2004 23:08:15 +0200 (CEST)
Date: Wed, 15 Sep 2004 23:08:15 +0200 (CEST)
From: Sten Spans <sten@blinkenlights.nl>
To: "Eric W. Bates" <ericx_lists@vineyard.net>
In-Reply-To: <41484AE4.30709@vineyard.net>
Message-ID: <Pine.SOL.4.58-Blink.0409152302340.16703@tea.blinkenlights.nl>
References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org>
 <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org>
 <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl>
 <41484AE4.30709@vineyard.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-net@freebsd.org
Subject: Re: To many dynamic rules created by infected machine
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2004 21:08:17 -0000

On Wed, 15 Sep 2004, Eric W. Bates wrote:

>
>
> Sten Spans wrote:
>
> >
> > What about:
> >
> > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
> > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4
> >
> > To limit the amount of evil connections, place above the regular
> > keep-state rule.
> >
> >
>
> That looks good.  I should have RTFM.
>
> Is it reasonable to try something like:
>
> ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
>
> Anyone ever figured out what the average/max number of simultaneous
> dynamic rules needed to support an http session?

Normally a http request is one tcp connection,
some browsers open more connections to speed things up.
You could add special rules for avupdate-host.norton.com
or somesuch.

An even better solution would be a (transparent) proxy
setup, with allow rules for *.norton.com in the proxy
software.
The kind of restrictions you are trying to enforce are
quite a bit easier achieve with propper userland
proxy software.

-- 
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem