On 8/24/05, Bryan Irvine <[EMAIL PROTECTED]> wrote:
> > I personally like to 'pass keep state' with a 'scrub all' rule. This
> > at least gives me some interesting statistics to poke at when I'm
> > bored. Plus, I can firewall who gets to ssh into my machine.
>
> Another good use is {max-src-states ##} for webservers and the like.
> I have a webserver that would crash at 9am every morning when a few
> bots (2 in particaular) would crawl the site. They are poorly
> configured and open roughly 120 simlutaneous connections. They were
> very low bandwidth, but there went all available connections.
>
> To quote Theo it's "Horse-shit" to say you don't need to filter single hosts.
>
I left out a lot of my reasoning for feeling the way I do in my first
mail about not needing a packet filter on single hosts, and it's more
a personal preference, not telling everyone that you're all idiots for
wanting to. If your web server crashes because it has 240 connections
open (I'm assuming 120 per bot) then there seems to be something else
wrong with it, and shouldn't be ignored by just throwing up pf. It was
more that for me, if I throw up pf to protect a single host, I tend to
get lazy in the administration of it, and start ignoring things that
should really be looked at (like applications opening up random ports,
in reference to an earlier KDE post). I really don't think that a
desktop environment should be opening up anything at all, and so I'd
rather just not run it instead of run a desktop environment that I
have no idea what it's doing on the network. If anyone is interested
any further as to why I feel the way I do, email me privately, since
this is getting way off topic and doesn't belong on the openbsd-misc
mailing list anyways.
Jason
