To many dynamic rules created by infected machine
sten at blinkenlights.nl
Wed Sep 15 14:08:17 PDT 2004
On Wed, 15 Sep 2004, Eric W. Bates wrote:
> Sten Spans wrote:
> > What about:
> > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4
> > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4
> > To limit the amount of evil connections, place above the regular
> > keep-state rule.
> That looks good. I should have RTFM.
> Is it reasonable to try something like:
> ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
> Anyone ever figured out what the average/max number of simultaneous
> dynamic rules needed to support an http session?
Normally a http request is one tcp connection,
some browsers open more connections to speed things up.
You could add special rules for avupdate-host.norton.com
An even better solution would be a (transparent) proxy
setup, with allow rules for *.norton.com in the proxy
The kind of restrictions you are trying to enforce are
quite a bit easier achieve with propper userland
"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem
More information about the freebsd-net