From owner-freebsd-net@FreeBSD.ORG Tue Sep 14 18:56:57 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D90FB16A4CE for ; Tue, 14 Sep 2004 18:56:57 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEF7943D48 for ; Tue, 14 Sep 2004 18:56:57 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 3D5127A3D2; Tue, 14 Sep 2004 11:56:55 -0700 (PDT) Message-ID: <41473EF6.8030201@elischer.org> Date: Tue, 14 Sep 2004 11:56:54 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: "Eric W. Bates" References: <41473DD3.7030007@vineyard.net> In-Reply-To: <41473DD3.7030007@vineyard.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 18:56:58 -0000 how about preceeding the keep-state rule with some specific rules against that machine.. (or turning it off)? what KIND of sweep? Eric W. Bates wrote: > Friends run an IT business and I helped build them a firewall using ipfw. > > The box has multiple interfaces; one of which is untrusted and it is > where they put suspect machines (customer boxes with high likelihood > of viruses and other evil Windoze ailments). > > Their network is well protected; however there is now an inadvertent > DOS when a particularly virulent machine performs a sweep attack on > some block of IP, because we have a check-state/keep-state. > > Sep 11 16:00:01 hostname /kernel: ipfw: install_state: Too > many dynamic rules > > Is there a way to limit the number of rules a given host can create in > x number of minutes? > > > Thanks for your time. > -- > Eric W. Bates > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"