From owner-freebsd-net@FreeBSD.ORG  Thu Sep 16 13:14:26 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 95FA816A4CE
	for <freebsd-net@freebsd.org>; Thu, 16 Sep 2004 13:14:26 +0000 (GMT)
Received: from vineyard.net (k1.vineyard.net [204.17.195.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4EA3843D45
	for <freebsd-net@freebsd.org>; Thu, 16 Sep 2004 13:14:26 +0000 (GMT)
	(envelope-from ericx_lists@vineyard.net)
Received: from localhost (loopback [127.0.0.1])
	by vineyard.net (Postfix) with ESMTP id 5EFA9915D9;
	Thu, 16 Sep 2004 09:14:25 -0400 (EDT)
Received: from vineyard.net ([127.0.0.1])
 by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 10009-01-10; Thu, 16 Sep 2004 09:14:25 -0400 (EDT)
Received: from vineyard.net (cheesenip.vineyard.net [204.17.195.113])
	by vineyard.net (Postfix) with ESMTP id E6AA4915D5;
	Thu, 16 Sep 2004 09:14:24 -0400 (EDT)
Message-ID: <414991B0.5090404@vineyard.net>
Date: Thu, 16 Sep 2004 09:14:24 -0400
From: "Eric W. Bates" <ericx_lists@vineyard.net>
User-Agent: Mozilla Thunderbird 0.5 (X11/20040208)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Sten Spans <sten@blinkenlights.nl>
References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org>
	<B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org>
	<Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl>
	<41484AE4.30709@vineyard.net>
	<Pine.SOL.4.58-Blink.0409152302340.16703@tea.blinkenlights.nl>
In-Reply-To: <Pine.SOL.4.58-Blink.0409152302340.16703@tea.blinkenlights.nl>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET
cc: freebsd-net@freebsd.org
Subject: Re: To many dynamic rules created by infected machine
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Sep 2004 13:14:26 -0000



Sten Spans wrote:
> On Wed, 15 Sep 2004, Eric W. Bates wrote:
> 
>>
>>That looks good.  I should have RTFM.
>>
>>Is it reasonable to try something like:
>>
>>ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
>>
>>Anyone ever figured out what the average/max number of simultaneous
>>dynamic rules needed to support an http session?
> 
> 
> Normally a http request is one tcp connection,
> some browsers open more connections to speed things up.
> You could add special rules for avupdate-host.norton.com
> or somesuch.
> 
> An even better solution would be a (transparent) proxy
> setup, with allow rules for *.norton.com in the proxy
> software.
> The kind of restrictions you are trying to enforce are
> quite a bit easier achieve with propper userland
> proxy software.
> 

Excellent idea.  There is already a squid running on that machine. Can I 
force a client to use a proxy with:

ipfw add forward myhost tcp from evil/24 to not myhost dst-port 3128