From owner-freebsd-security@FreeBSD.ORG Thu Aug 21 21:37:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CB101065672 for ; Thu, 21 Aug 2008 21:37:34 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: from smtp2.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 2B17E8FC16 for ; Thu, 21 Aug 2008 21:37:34 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: (qmail 23509 invoked from network); 21 Aug 2008 14:10:56 -0700 Received: by simscan 1.1.0 ppid: 23503, pid: 23504, t: 0.0778s scanners: regex: 1.1.0 attach: 1.1.0 Received: from unknown (HELO smtp.jim-liesl.org) (66.60.173.44) by smtp2 with SMTP; 21 Aug 2008 14:10:56 -0700 Received: from smtp.jim-liesl.org (localhost.static.surewest.net [127.0.0.1]) by smtp.jim-liesl.org (Postfix) with ESMTP id F3E125DDD; Thu, 21 Aug 2008 14:10:53 -0700 (PDT) Received: from [IPv6:::1] (daemon.static.surewest.net [192.168.1.15]) by smtp.jim-liesl.org (Postfix) with ESMTP id 325FE5DDC; Thu, 21 Aug 2008 14:10:52 -0700 (PDT) Message-ID: <48ADD9DB.8060805@jim-liesl.org> Date: Thu, 21 Aug 2008 14:10:51 -0700 From: security User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Mikhail Teterin References: <48ADA81E.7090106@aldan.algebra.com> <48ADC7E7.9030907@aldan.algebra.com> In-Reply-To: <48ADC7E7.9030907@aldan.algebra.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP X-Mailman-Approved-At: Thu, 21 Aug 2008 22:01:08 +0000 Cc: freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 21:37:34 -0000 Mikhail Teterin wrote: > Neil Neely ΞΑΠΙΣΑΧ(ΜΑ): >> I haven't explored this issue enough to speak with any authority - >> but once upon a time I had an app doing tons of ipfw rule add/removes >> all the time and we had no end of performance and stability problems >> on that box (this would have been in 4.x or so timeline I expect). >> As that approach wasn't really critical we abandoned it without >> really digging into the details. >> >> Years later a need for lots of rapid firewall changes came up again >> and I drilled into it and found the use of tables was excellent for >> doing this and it does the job very well. This is approach is on a >> FreeBSD 6.3 box. >> >> ipfw add 00550 deny ip from 'table(1)' to any >> >> Then just add remove entries to table 1 via: >> ipfw table 1 add 10.1.1.22/32 >> ipfw table 1 delete 10.1.1.22/32 >> >> show all entries in table 1 with: >> ipfw table 1 list >> >> Clear out the whole of table 1 >> ipfw table 1 flush >> >> I can't be sure if this relates to your particular issue, but I would >> recommend trying it out. > Thanks! I was not even aware of this functionality... Yes, I'll try > that -- maybe, a bug in ipfw only hits once per 1000 invocations :-) > > -mi blocksshd uses pf and a table to contain the addresses. you might want to check it out