On 8/24/05, Bryan Irvine <[EMAIL PROTECTED]> wrote: > > I personally like to 'pass keep state' with a 'scrub all' rule. This > > at least gives me some interesting statistics to poke at when I'm > > bored. Plus, I can firewall who gets to ssh into my machine. > > Another good use is {max-src-states ##} for webservers and the like. > I have a webserver that would crash at 9am every morning when a few > bots (2 in particaular) would crawl the site. They are poorly > configured and open roughly 120 simlutaneous connections. They were > very low bandwidth, but there went all available connections. > > To quote Theo it's "Horse-shit" to say you don't need to filter single hosts. >
I left out a lot of my reasoning for feeling the way I do in my first mail about not needing a packet filter on single hosts, and it's more a personal preference, not telling everyone that you're all idiots for wanting to. If your web server crashes because it has 240 connections open (I'm assuming 120 per bot) then there seems to be something else wrong with it, and shouldn't be ignored by just throwing up pf. It was more that for me, if I throw up pf to protect a single host, I tend to get lazy in the administration of it, and start ignoring things that should really be looked at (like applications opening up random ports, in reference to an earlier KDE post). I really don't think that a desktop environment should be opening up anything at all, and so I'd rather just not run it instead of run a desktop environment that I have no idea what it's doing on the network. If anyone is interested any further as to why I feel the way I do, email me privately, since this is getting way off topic and doesn't belong on the openbsd-misc mailing list anyways. Jason