Date: Thu, 16 Sep 2004 09:14:24 -0400 From: "Eric W. Bates" <ericx_lists@vineyard.net> To: Sten Spans <sten@blinkenlights.nl> Cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine Message-ID: <414991B0.5090404@vineyard.net> In-Reply-To: <Pine.SOL.4.58-Blink.0409152302340.16703@tea.blinkenlights.nl> References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org> <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl> <41484AE4.30709@vineyard.net> <Pine.SOL.4.58-Blink.0409152302340.16703@tea.blinkenlights.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Sten Spans wrote: > On Wed, 15 Sep 2004, Eric W. Bates wrote: > >> >>That looks good. I should have RTFM. >> >>Is it reasonable to try something like: >> >>ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100 >> >>Anyone ever figured out what the average/max number of simultaneous >>dynamic rules needed to support an http session? > > > Normally a http request is one tcp connection, > some browsers open more connections to speed things up. > You could add special rules for avupdate-host.norton.com > or somesuch. > > An even better solution would be a (transparent) proxy > setup, with allow rules for *.norton.com in the proxy > software. > The kind of restrictions you are trying to enforce are > quite a bit easier achieve with propper userland > proxy software. > Excellent idea. There is already a squid running on that machine. Can I force a client to use a proxy with: ipfw add forward myhost tcp from evil/24 to not myhost dst-port 3128
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414991B0.5090404>