From owner-freebsd-stable@FreeBSD.ORG  Thu Sep  9 21:27:43 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 641A110656D6
	for <stable@freebsd.org>; Thu,  9 Sep 2010 21:27:43 +0000 (UTC)
	(envelope-from dudu@dudu.ro)
Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com
	[209.85.216.175])
	by mx1.freebsd.org (Postfix) with ESMTP id 1F5818FC12
	for <stable@freebsd.org>; Thu,  9 Sep 2010 21:27:42 +0000 (UTC)
Received: by qyk31 with SMTP id 31so6963350qyk.13
	for <stable@freebsd.org>; Thu, 09 Sep 2010 14:27:42 -0700 (PDT)
Received: by 10.224.112.215 with SMTP id x23mr541486qap.37.1284065832626; Thu,
	09 Sep 2010 13:57:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.38.83 with HTTP; Thu, 9 Sep 2010 13:56:29 -0700 (PDT)
In-Reply-To: <4C89215E.7010203@ksu.ru>
References: <20100909153902.GA28341@lordcow.org> <4C89215E.7010203@ksu.ru>
From: Vlad Galu <dudu@dudu.ro>
Date: Thu, 9 Sep 2010 23:56:29 +0300
Message-ID: <AANLkTi=oaANzhEkDSnaQgaXz+TOO8aQPOkaQ9GAP9v0O@mail.gmail.com>
To: "Marat N.Afanasyev" <amarat@ksu.ru>
Content-Type: text/plain; charset=KOI8-R
Cc: Gareth de Vaux <bsd@lordcow.org>, stable@freebsd.org
Subject: Re: ipfw: Too many dynamic rules
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2010 21:27:43 -0000

2010/9/9 Marat N.Afanasyev <amarat@ksu.ru>:
> I wonder, are these dynamic rules really necessary? let's see, a client
> connects to your web-server and you immediately should create a new dynamic
> rule, therefore you participate in this DoS attack as well as attacker. ;)

With a stateless firewall, you help the attacker even more. Because
he's able to connect to your httpd/whatever daemon is listening
directly and he can easily fill up the descriptor table of that
process. Limiting the number of states/connections from the same host
prevents that. Sure, those states eat up RAM, but so do the
established connections. Having a slightly more aggressive state
expiry policy always helps. Sure, there are accf_http(9), accf_data(9)
and various forking workarounds, but they don't work unless your TCP
server is specifically designed to use them.

PF also allows you to tarpit malicious hosts based on how often they
try to reconnect - you can dynamically add them to a table which you
can refer to from ALTQ.

-- 
Good, fast & cheap. Pick any two.