To many dynamic rules created by infected machine
Sten Spans
sten at blinkenlights.nl
Wed Sep 15 14:08:17 PDT 2004
On Wed, 15 Sep 2004, Eric W. Bates wrote:
>
>
> Sten Spans wrote:
>
> >
> > What about:
> >
> > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
> > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4
> >
> > To limit the amount of evil connections, place above the regular
> > keep-state rule.
> >
> >
>
> That looks good. I should have RTFM.
>
> Is it reasonable to try something like:
>
> ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
>
> Anyone ever figured out what the average/max number of simultaneous
> dynamic rules needed to support an http session?
Normally a http request is one tcp connection,
some browsers open more connections to speed things up.
You could add special rules for avupdate-host.norton.com
or somesuch.
An even better solution would be a (transparent) proxy
setup, with allow rules for *.norton.com in the proxy
software.
The kind of restrictions you are trying to enforce are
quite a bit easier achieve with propper userland
proxy software.
--
Sten Spans
"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem
More information about the freebsd-net
mailing list