To many dynamic rules created by infected machine
Eric W. Bates
ericx_lists at vineyard.net
Wed Sep 15 07:00:06 PDT 2004
Sten Spans wrote:
>
> What about:
>
> ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
> ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4
>
> To limit the amount of evil connections, place above the regular
> keep-state rule.
>
>
That looks good. I should have RTFM.
Is it reasonable to try something like:
ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
Anyone ever figured out what the average/max number of simultaneous
dynamic rules needed to support an http session?
I'm not going to allow the 137-139,445 ports out (no need for file
sharing when repairing these things). But I'm going to have to allow 80,
443, whatever Norton, spybot, adaware, etc. use for their database updates.
----
The default (FBSD 4.9, ipfw 2) number of rules max seems to be 4096.
net.inet.ip.fw.dyn_max: 4096
Is it reasonable to pump this number up?
--
Eric W. Bates
More information about the freebsd-net
mailing list