[lug] firewall logs

Nate Duehr nate at natetech.com
Wed Jan 17 14:33:13 MST 2001 

Actually I have a few friends who report that by dropping the
entire 24.0.0.0/8 range, their level of daily attacks from
script-kiddies has been cut down by over 85%.

And they just open up individual @Home users they want to communicate
with, which is only a few IP's later.

Blocking @Home's mail servers drops a lot of spam too, indirectly.  :)

On Tue, Jan 16, 2001 at 03:10:37PM -0700, John Hernandez wrote:
> Warren, your ipchains rules seem confusing to me.
> 
> A wholesale block of 24.0.0.0/8 seems like overkill, especially since
> there are over 200 other /8's chock-full of hackers and scanners.  In my
> opinion, it's likely to cause headaches.  One headache in particular
> would arise from blocking ICMP messages (such as redirects and
> destination unreachables, etc) from your router and other nodes on the
> @home network.  To prevent scans and other foul-play, your best approach
> may be to use a program like portsentry to add dynamic rules which block
> individal IP's when they start a scan.  In my experience, there are only
> a couple of notorious "authorized-scan" hosts used by @home.  Better to
> block those, specifically.
> 
> A second point of confusion is that you have a default policy of ACCEPT
> on the input chain, which obviates all but the first 3 entries in your
> ruleset.  That being said, any packet arriving on your outside interface
> addressed with a destination of 10.0.0.0/24 should be considered invalid
> (unroutable) and dropped, not ACCEPTed.
> 
> Hope that helps.
>  
> Warren Sanders wrote:
> > 
> > Over the past couple weeks I have set up my firewall to more than just
> > masquerade.  I have @home and blocked their scans of <1024.  Since then I
> > have been getting too many kernel: Packet logs.  Here is an example:
> > 
> > Jan 16 08:48:52 Sandman kernel: Packet log: input DENY lo PROTO=17
> > 24.11.6.X.X:138 24.11.X.X:138 L=249 S=0x00 I=32305 F=0x0000 T=64 (#2)
> > 
> > This is my ipchain listing:
> > 
> > [root at Sandman /root]# ipchains -L
> > Chain input (policy ACCEPT):
> > target     prot opt     source                destination           ports
> > DENY       tcp  ----l-  24.0.0.0/8           C317121-A.localdomain  any ->
> > 0:1024
> > DENY       udp  ----l-  24.0.0.0/8           C317121-A.localdomain  any ->
> > 0:1024
> > DENY       icmp ----l-  24.0.0.0/8           C317121-A.localdomain  any ->
> > 0:1024
> > ACCEPT     tcp  ------  femail7.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail8.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail9.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail10.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail1.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail2.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail3.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail4.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail5.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  femail6.sdc1.sfba.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  home-www.excite.com  10.0.0.0/24           any ->
> > 1023:65355
> > ACCEPT     tcp  ------  proxy1.bllngs1.mt.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  proxy2.bllngs1.mt.home.com 10.0.0.0/24
> > any ->   1023:65535
> > ACCEPT     tcp  ------  news1.sttls1.wa.home.com 10.0.0.0/24           any
> > ->   1023:65535
> > ACCEPT     tcp  ------  home-www.excite.com  10.0.0.0/24           any ->
> > 1023:65535
> > ACCEPT     tcp  ------  ns1.home.net         10.0.0.0/24           any ->
> > 1023:65535
> > ACCEPT     tcp  ------  ns2.home.net         10.0.0.0/24           any ->
> > 1023:65535
> > ACCEPT     udp  ------  ns1.home.net         10.0.0.0/24           any ->
> > 1023:65535
> > ACCEPT     udp  ------  ns2.home.net         10.0.0.0/24           any ->
> > 1023:65535
> > Chain forward (policy DENY):
> > target     prot opt     source                destination           ports
> > MASQ       all  ------  10.0.0.0/24          anywhere              n/a
> > Chain output (policy ACCEPT):
> > 
> > My concern is... Am I blocking my own packets some how?  FYI  I do have a
> > domain here but the NS is being hosted elsewhere.
> > 
> > --
> > Warren Sanders
> > http://MontanaLinux.Org
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> -- 
> 
> John Hernandez, Network Engineer --------------------------------------
> US Department of Commerce                             tel: 303-497-6392
> NOAA/OAR - Mailstop R/OM12                            fax: 303-497-6005
> 325 Broadway                            e-mail: John.Hernandez at noaa.gov
> Boulder, CO 80303                               http://boulder.noaa.gov
> -----------------------------------------------------------------------
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.

More information about the LUG mailing list