[lug] firewall logs

John Hernandez John.Hernandez at noaa.gov
Tue Jan 16 15:10:37 MST 2001 

Warren, your ipchains rules seem confusing to me.

A wholesale block of 24.0.0.0/8 seems like overkill, especially since
there are over 200 other /8's chock-full of hackers and scanners.  In my
opinion, it's likely to cause headaches.  One headache in particular
would arise from blocking ICMP messages (such as redirects and
destination unreachables, etc) from your router and other nodes on the
@home network.  To prevent scans and other foul-play, your best approach
may be to use a program like portsentry to add dynamic rules which block
individal IP's when they start a scan.  In my experience, there are only
a couple of notorious "authorized-scan" hosts used by @home.  Better to
block those, specifically.

A second point of confusion is that you have a default policy of ACCEPT
on the input chain, which obviates all but the first 3 entries in your
ruleset.  That being said, any packet arriving on your outside interface
addressed with a destination of 10.0.0.0/24 should be considered invalid
(unroutable) and dropped, not ACCEPTed.

Hope that helps.
 
Warren Sanders wrote:
> 
> Over the past couple weeks I have set up my firewall to more than just
> masquerade.  I have @home and blocked their scans of <1024.  Since then I
> have been getting too many kernel: Packet logs.  Here is an example:
> 
> Jan 16 08:48:52 Sandman kernel: Packet log: input DENY lo PROTO=17
> 24.11.6.X.X:138 24.11.X.X:138 L=249 S=0x00 I=32305 F=0x0000 T=64 (#2)
> 
> This is my ipchain listing:
> 
> [root at Sandman /root]# ipchains -L
> Chain input (policy ACCEPT):
> target     prot opt     source                destination           ports
> DENY       tcp  ----l-  24.0.0.0/8           C317121-A.localdomain  any ->
> 0:1024
> DENY       udp  ----l-  24.0.0.0/8           C317121-A.localdomain  any ->
> 0:1024
> DENY       icmp ----l-  24.0.0.0/8           C317121-A.localdomain  any ->
> 0:1024
> ACCEPT     tcp  ------  femail7.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail8.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail9.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail10.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail1.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail2.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail3.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail4.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail5.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  femail6.sdc1.sfba.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  home-www.excite.com  10.0.0.0/24           any ->
> 1023:65355
> ACCEPT     tcp  ------  proxy1.bllngs1.mt.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  proxy2.bllngs1.mt.home.com 10.0.0.0/24
> any ->   1023:65535
> ACCEPT     tcp  ------  news1.sttls1.wa.home.com 10.0.0.0/24           any
> ->   1023:65535
> ACCEPT     tcp  ------  home-www.excite.com  10.0.0.0/24           any ->
> 1023:65535
> ACCEPT     tcp  ------  ns1.home.net         10.0.0.0/24           any ->
> 1023:65535
> ACCEPT     tcp  ------  ns2.home.net         10.0.0.0/24           any ->
> 1023:65535
> ACCEPT     udp  ------  ns1.home.net         10.0.0.0/24           any ->
> 1023:65535
> ACCEPT     udp  ------  ns2.home.net         10.0.0.0/24           any ->
> 1023:65535
> Chain forward (policy DENY):
> target     prot opt     source                destination           ports
> MASQ       all  ------  10.0.0.0/24          anywhere              n/a
> Chain output (policy ACCEPT):
> 
> My concern is... Am I blocking my own packets some how?  FYI  I do have a
> domain here but the NS is being hosted elsewhere.
> 
> --
> Warren Sanders
> http://MontanaLinux.Org
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 

John Hernandez, Network Engineer --------------------------------------
US Department of Commerce                             tel: 303-497-6392
NOAA/OAR - Mailstop R/OM12                            fax: 303-497-6005
325 Broadway                            e-mail: John.Hernandez at noaa.gov
Boulder, CO 80303                               http://boulder.noaa.gov
-----------------------------------------------------------------------

More information about the LUG mailing list