To many dynamic rules created by infected machine

Sten Spans sten at
Wed Sep 15 14:08:17 PDT 2004

On Wed, 15 Sep 2004, Eric W. Bates wrote:

> Sten Spans wrote:
> >
> > What about:
> >
> > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
> > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4
> >
> > To limit the amount of evil connections, place above the regular
> > keep-state rule.
> >
> >
> That looks good.  I should have RTFM.
> Is it reasonable to try something like:
> ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
> Anyone ever figured out what the average/max number of simultaneous
> dynamic rules needed to support an http session?

Normally a http request is one tcp connection,
some browsers open more connections to speed things up.
You could add special rules for
or somesuch.

An even better solution would be a (transparent) proxy
setup, with allow rules for * in the proxy
The kind of restrictions you are trying to enforce are
quite a bit easier achieve with propper userland
proxy software.

Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem

More information about the freebsd-net mailing list