Re: To many dynamic rules created by infected machine

2004-09-16 Thread Eric W. Bates
Sten Spans wrote: On Wed, 15 Sep 2004, Eric W. Bates wrote: That looks good. I should have RTFM. Is it reasonable to try something like: ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100 Anyone ever figured out what the average/max number of simultaneous dynamic rules ne

Re: To many dynamic rules created by infected machine

2004-09-15 Thread Sten Spans
On Wed, 15 Sep 2004, Eric W. Bates wrote: > > > Sten Spans wrote: > > > > > What about: > > > > ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4 > > ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4 > > > > To limit the amount of evil connections, place a

Re: To many dynamic rules created by infected machine

2004-09-15 Thread Eric W. Bates
Sten Spans wrote: What about: ipfw add allow tcp from evil/24 to any port 445 setup limit src-addr 4 ipfw add allow tcp from evil/24 to any port 139 setup limit src-addr 4 To limit the amount of evil connections, place above the regular keep-state rule. That looks good. I should have RTFM. Is it

Re: To many dynamic rules created by infected machine

2004-09-15 Thread Sten Spans
On Tue, 14 Sep 2004, Pat Lashley wrote: > --On Tuesday, September 14, 2004 20:59:43 -0400 "Eric W. Bates" <[EMAIL PROTECTED]> > wrote: > > > It's a small store. Folks with broken computers bring the > > machines in because "It doesn't work". They usually don't > > know what is wrong with any giv

Re: To many dynamic rules created by infected machine

2004-09-15 Thread Eric W. Bates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pat Lashley wrote: | --On Tuesday, September 14, 2004 20:59:43 -0400 "Eric W. Bates" | <[EMAIL PROTECTED]> wrote: | |> It's a small store. Folks with broken computers bring the |> machines in because "It doesn't work". They usually don't |> know what

Re: To many dynamic rules created by infected machine

2004-09-14 Thread Pat Lashley
--On Tuesday, September 14, 2004 20:59:43 -0400 "Eric W. Bates" <[EMAIL PROTECTED]> wrote: It's a small store. Folks with broken computers bring the machines in because "It doesn't work". They usually don't know what is wrong with any given machine; and they try to be careful (remove the hard dri

Re: To many dynamic rules created by infected machine

2004-09-14 Thread Eric W. Bates
Julian Elischer wrote: how about preceeding the keep-state rule with some specific rules against that machine.. (or turning it off)? what KIND of sweep? It's a small store. Folks with broken computers bring the machines in because "It doesn't work". They usually don't know what is wrong with

Re: To many dynamic rules created by infected machine

2004-09-14 Thread Julian Elischer
how about preceeding the keep-state rule with some specific rules against that machine.. (or turning it off)? what KIND of sweep? Eric W. Bates wrote: Friends run an IT business and I helped build them a firewall using ipfw. The box has multiple interfaces; one of which is untrusted and it is