To many dynamic rules created by infected machine

Eric W. Bates ericx_lists at
Tue Sep 14 17:59:48 PDT 2004

Julian Elischer wrote:

> how about preceeding the keep-state rule with some specific rules 
> against that machine..
> (or turning it off)?  what KIND of sweep?
It's a small store.  Folks with broken computers bring the machines in 
because "It doesn't work". They usually don't know what is wrong with 
any given machine; and they try to be careful (remove the hard drive and 
attempt to clean it first); but eventually there is a need to put the 
machine on line and try to update Norton's virus list.

Over the weekend a less savvy staffer was working on a laptop with some 
infection or other (the machine does not have a tcpdump store running so 
I don't know exactly what happened). The firewall started to fail 
because of the overwhelming number of dynamic rules created; and he did 
not connect the customer's machine on the workbench with their problem 
(he rebooted the FreeBSD machine...).

I'm guessing it had Sasser (or similar) and it was attempting to open up 
connections to:

199.x.x.1 : 445
199.x.x.2 : 445
199.x.x.3 : 445
199.x.x.4 : 445

There is a dhcp server passing out address to the "bench" network; so if 
there is a way to limit the number of dynamic rules created, I can apply 
it to that IP range easily enough.

> Eric W. Bates wrote:
>> Friends run an IT business and I helped build them a firewall using 
>> ipfw.
>> The box has multiple interfaces; one of which is untrusted and it is 
>> where they put suspect machines (customer boxes with high likelihood 
>> of viruses and other evil Windoze ailments).
>> Their network is well protected; however there is now an inadvertent 
>> DOS when a particularly virulent machine performs a sweep attack on 
>> some block of IP, because we have a check-state/keep-state.
>> Sep 11 16:00:01 <kern.crit> hostname /kernel: ipfw: install_state: 
>> Too many dynamic rules
>> Is there a way to limit the number of rules a given host can create 
>> in x number of minutes?
>> Thanks for your time.
>> -- 
>> Eric W. Bates
>> _______________________________________________
>> freebsd-net at mailing list
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at"

More information about the freebsd-net mailing list