To many dynamic rules created by infected machine
Eric W. Bates
ericx_lists at vineyard.net
Tue Sep 14 17:59:48 PDT 2004
Julian Elischer wrote:
> how about preceeding the keep-state rule with some specific rules
> against that machine..
> (or turning it off)? what KIND of sweep?
It's a small store. Folks with broken computers bring the machines in
because "It doesn't work". They usually don't know what is wrong with
any given machine; and they try to be careful (remove the hard drive and
attempt to clean it first); but eventually there is a need to put the
machine on line and try to update Norton's virus list.
Over the weekend a less savvy staffer was working on a laptop with some
infection or other (the machine does not have a tcpdump store running so
I don't know exactly what happened). The firewall started to fail
because of the overwhelming number of dynamic rules created; and he did
not connect the customer's machine on the workbench with their problem
(he rebooted the FreeBSD machine...).
I'm guessing it had Sasser (or similar) and it was attempting to open up
199.x.x.1 : 445
199.x.x.2 : 445
199.x.x.3 : 445
199.x.x.4 : 445
There is a dhcp server passing out address to the "bench" network; so if
there is a way to limit the number of dynamic rules created, I can apply
it to that IP range easily enough.
> Eric W. Bates wrote:
>> Friends run an IT business and I helped build them a firewall using
>> The box has multiple interfaces; one of which is untrusted and it is
>> where they put suspect machines (customer boxes with high likelihood
>> of viruses and other evil Windoze ailments).
>> Their network is well protected; however there is now an inadvertent
>> DOS when a particularly virulent machine performs a sweep attack on
>> some block of IP, because we have a check-state/keep-state.
>> Sep 11 16:00:01 <kern.crit> hostname /kernel: ipfw: install_state:
>> Too many dynamic rules
>> Is there a way to limit the number of rules a given host can create
>> in x number of minutes?
>> Thanks for your time.
>> Eric W. Bates
>> freebsd-net at freebsd.org mailing list
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net