From owner-freebsd-security  Mon Oct 29 17:13:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65])
	by hub.freebsd.org (Postfix) with ESMTP id 425DB37B401
	for <freebsd-security@freebsd.org>; Mon, 29 Oct 2001 17:13:26 -0800 (PST)
Received: from user-33qtnbj.dialup.mindspring.com ([199.174.221.115] helo=gohan.cjclark.org)
	by robin.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 15yNT3-00024A-00; Mon, 29 Oct 2001 17:13:25 -0800
Received: (from cjc@localhost)
	by gohan.cjclark.org (8.11.6/8.11.1) id f9TNVfm00289;
	Mon, 29 Oct 2001 15:31:41 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 29 Oct 2001 15:31:41 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Peter Haight <peterh@sapros.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw dynamic entries I don't understand.
Message-ID: <20011029153140.A224@gohan.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <200110282105.f9SL5ex95768@wartch.sapros.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200110282105.f9SL5ex95768@wartch.sapros.com>; from peterh@sapros.com on Sun, Oct 28, 2001 at 01:05:40PM -0800
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, Oct 28, 2001 at 01:05:40PM -0800, Peter Haight wrote:
> 
> Someone was portscanning my machine the other day. I have an ipfw setup with
> some dynamic rules and the guy doing the portscanner managed to get some of
> his connections to start as a dynamic rule. I had thought I had it setup so
> that only tcp connections originating from the server would start a
> dynamic rule. I'm using a set of rules which I grew from the 'simple'
> firewall rules (with NAT). This eventually filled up the dynamic rule table
> so that I couldn't make any more connections. Is there some way to fix this?

There is really no way to see what is going on without the _complete_
firewall ruleset.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message