To many dynamic rules created by infected machine
Eric W. Bates
ericx_lists at vineyard.net
Thu Sep 16 06:14:26 PDT 2004
Sten Spans wrote:
> On Wed, 15 Sep 2004, Eric W. Bates wrote:
>
>>
>>That looks good. I should have RTFM.
>>
>>Is it reasonable to try something like:
>>
>>ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
>>
>>Anyone ever figured out what the average/max number of simultaneous
>>dynamic rules needed to support an http session?
>
>
> Normally a http request is one tcp connection,
> some browsers open more connections to speed things up.
> You could add special rules for avupdate-host.norton.com
> or somesuch.
>
> An even better solution would be a (transparent) proxy
> setup, with allow rules for *.norton.com in the proxy
> software.
> The kind of restrictions you are trying to enforce are
> quite a bit easier achieve with propper userland
> proxy software.
>
Excellent idea. There is already a squid running on that machine. Can I
force a client to use a proxy with:
ipfw add forward myhost tcp from evil/24 to not myhost dst-port 3128
More information about the freebsd-net
mailing list