Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Sep 2004 14:59:52 +0200 (CEST)
From:      Sten Spans <sten@blinkenlights.nl>
To:        Pat Lashley <patl+freebsd@volant.org>
Cc:        Julian Elischer <julian@elischer.org>
Subject:   Re: To many dynamic rules created by infected machine
Message-ID:  <Pine.SOL.4.58-Blink.0409151438200.16703@tea.blinkenlights.nl>
In-Reply-To: <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org>
References:  <41473DD3.7030007@vineyard.net> <41473EF6.8030201@elischer.org> <B7A193EBF32592C1BC9C6000@vanvoght.phoenix.volant.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 14 Sep 2004, Pat Lashley wrote:

> --On Tuesday, September 14, 2004 20:59:43 -0400 "Eric W. Bates" <ericx_lists@vineyard.net> wrote:
>
> > It's a small store.  Folks with broken computers bring the
> > machines in because "It doesn't work". They usually don't
> > know what is wrong with any given machine; and they try to
> > be careful (remove the hard drive and attempt to clean it
> > first); but eventually there is a need to put the machine
> > on line and try to update Norton's virus list.
>
> Befoe bringing it on-line, why not mount the disk on a FreeBSD
> machine and run ClamAV over all the files?  It's not guaranteed
> to catch everything; but it should at least reduce the window.
>
> You could also consider setting it up so that the initial
> reconnection is on a separate cable going through a firewall
> that -only- allows the connections necessary to update the
> Norton virus list.  Once it is updated, unplug it from the
> network, run the virus check, and only then plug it into
> your main LAN.
>

What about:

ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4

To limit the amount of evil connections, place above the regular
keep-state rule.


-- 
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.58-Blink.0409151438200.16703>