Date: Tue, 14 Sep 2004 20:59:43 -0400 From: "Eric W. Bates" <ericx_lists@vineyard.net> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org Subject: Re: To many dynamic rules created by infected machine Message-ID: <414793FF.3000008@vineyard.net> In-Reply-To: <41473EF6.8030201@elischer.org> References: <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: > how about preceeding the keep-state rule with some specific rules > against that machine.. > (or turning it off)? what KIND of sweep? > It's a small store. Folks with broken computers bring the machines in because "It doesn't work". They usually don't know what is wrong with any given machine; and they try to be careful (remove the hard drive and attempt to clean it first); but eventually there is a need to put the machine on line and try to update Norton's virus list. Over the weekend a less savvy staffer was working on a laptop with some infection or other (the machine does not have a tcpdump store running so I don't know exactly what happened). The firewall started to fail because of the overwhelming number of dynamic rules created; and he did not connect the customer's machine on the workbench with their problem (he rebooted the FreeBSD machine...). I'm guessing it had Sasser (or similar) and it was attempting to open up connections to: 199.x.x.1 : 445 199.x.x.2 : 445 199.x.x.3 : 445 199.x.x.4 : 445 ... There is a dhcp server passing out address to the "bench" network; so if there is a way to limit the number of dynamic rules created, I can apply it to that IP range easily enough. > > > Eric W. Bates wrote: > >> Friends run an IT business and I helped build them a firewall using >> ipfw. >> >> The box has multiple interfaces; one of which is untrusted and it is >> where they put suspect machines (customer boxes with high likelihood >> of viruses and other evil Windoze ailments). >> >> Their network is well protected; however there is now an inadvertent >> DOS when a particularly virulent machine performs a sweep attack on >> some block of IP, because we have a check-state/keep-state. >> >> Sep 11 16:00:01 <kern.crit> hostname /kernel: ipfw: install_state: >> Too many dynamic rules >> >> Is there a way to limit the number of rules a given host can create >> in x number of minutes? >> >> >> Thanks for your time. >> -- >> Eric W. Bates >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414793FF.3000008>