To many dynamic rules created by infected machine
Sten Spans
sten at blinkenlights.nl
Wed Sep 15 05:59:55 PDT 2004
On Tue, 14 Sep 2004, Pat Lashley wrote:
> --On Tuesday, September 14, 2004 20:59:43 -0400 "Eric W. Bates" <ericx_lists at vineyard.net> wrote:
>
> > It's a small store. Folks with broken computers bring the
> > machines in because "It doesn't work". They usually don't
> > know what is wrong with any given machine; and they try to
> > be careful (remove the hard drive and attempt to clean it
> > first); but eventually there is a need to put the machine
> > on line and try to update Norton's virus list.
>
> Befoe bringing it on-line, why not mount the disk on a FreeBSD
> machine and run ClamAV over all the files? It's not guaranteed
> to catch everything; but it should at least reduce the window.
>
> You could also consider setting it up so that the initial
> reconnection is on a separate cable going through a firewall
> that -only- allows the connections necessary to update the
> Norton virus list. Once it is updated, unplug it from the
> network, run the virus check, and only then plug it into
> your main LAN.
>
What about:
ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4
To limit the amount of evil connections, place above the regular
keep-state rule.
--
Sten Spans
"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem
More information about the freebsd-net
mailing list