On Thu, 17 Nov 2005, mouss wrote:
Three firewall rules I think nobody should live without:
1) ipfw add 500 allow tcp from any to me 25 limit src-addr 2 setup
Yup, you read that right. Limits tcp connections to no more than two per
connecting address. You could probably even drop that to one.
2) ipfw add 600 allow tcp from any to any 25 uid root
Yeah, seems simple, allows root to connect to other machines on port 25.
Until you come to this:
3) ipfw add 610 deny log logamount 100 tcp from any to any 25 out
Matches AFTER the above rule. Meaning? User processes can't connect to
send outbound mail anymore. They HAVE TO go through the local MTA (where,
presumably, the UID/PID can be logged).
So the next time a user has a crap phpBB or something that lets exploits
through -- I've got that much less to worry about.
-Dan
Roger Taranto a écrit :
If it didn't tie up sockets on our machines, it seems like instead of
rejecting the mail, we should just hold on to the mail connection for as
long as possible. It wouldn't take too long to tie up all of their
outbound connections and back up their mail server. Unfortunately, it
punishes our mail servers, too. :(
one way for that would be to "pass the descriptor" to a light process that
will only keep them connected. for example setting the tcp window to zero.
now, this would only be safe if you modify the tcp stack to do that without
keeping too much infos.
On the other hand, they have so much bandwidth/power available via zombies
that this seems like playing a self-dos game.
--
"I wish the Real World would just stop hassling me!"
-Matchbox 20, Real World, off the album "Yourself or Someone Like You"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
