[lug] firewall logs
John Hernandez
John.Hernandez at noaa.gov
Tue Jan 16 15:10:37 MST 2001
Warren, your ipchains rules seem confusing to me.
A wholesale block of 24.0.0.0/8 seems like overkill, especially since
there are over 200 other /8's chock-full of hackers and scanners. In my
opinion, it's likely to cause headaches. One headache in particular
would arise from blocking ICMP messages (such as redirects and
destination unreachables, etc) from your router and other nodes on the
@home network. To prevent scans and other foul-play, your best approach
may be to use a program like portsentry to add dynamic rules which block
individal IP's when they start a scan. In my experience, there are only
a couple of notorious "authorized-scan" hosts used by @home. Better to
block those, specifically.
A second point of confusion is that you have a default policy of ACCEPT
on the input chain, which obviates all but the first 3 entries in your
ruleset. That being said, any packet arriving on your outside interface
addressed with a destination of 10.0.0.0/24 should be considered invalid
(unroutable) and dropped, not ACCEPTed.
Hope that helps.
Warren Sanders wrote:
>
> Over the past couple weeks I have set up my firewall to more than just
> masquerade. I have @home and blocked their scans of <1024. Since then I
> have been getting too many kernel: Packet logs. Here is an example:
>
> Jan 16 08:48:52 Sandman kernel: Packet log: input DENY lo PROTO=17
> 24.11.6.X.X:138 24.11.X.X:138 L=249 S=0x00 I=32305 F=0x0000 T=64 (#2)
>
> This is my ipchain listing:
>
> [root at Sandman /root]# ipchains -L
> Chain input (policy ACCEPT):
> target prot opt source destination ports
> DENY tcp ----l- 24.0.0.0/8 C317121-A.localdomain any ->
> 0:1024
> DENY udp ----l- 24.0.0.0/8 C317121-A.localdomain any ->
> 0:1024
> DENY icmp ----l- 24.0.0.0/8 C317121-A.localdomain any ->
> 0:1024
> ACCEPT tcp ------ femail7.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail8.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail9.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail10.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail1.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail2.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail3.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail4.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail5.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ femail6.sdc1.sfba.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ home-www.excite.com 10.0.0.0/24 any ->
> 1023:65355
> ACCEPT tcp ------ proxy1.bllngs1.mt.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ proxy2.bllngs1.mt.home.com 10.0.0.0/24
> any -> 1023:65535
> ACCEPT tcp ------ news1.sttls1.wa.home.com 10.0.0.0/24 any
> -> 1023:65535
> ACCEPT tcp ------ home-www.excite.com 10.0.0.0/24 any ->
> 1023:65535
> ACCEPT tcp ------ ns1.home.net 10.0.0.0/24 any ->
> 1023:65535
> ACCEPT tcp ------ ns2.home.net 10.0.0.0/24 any ->
> 1023:65535
> ACCEPT udp ------ ns1.home.net 10.0.0.0/24 any ->
> 1023:65535
> ACCEPT udp ------ ns2.home.net 10.0.0.0/24 any ->
> 1023:65535
> Chain forward (policy DENY):
> target prot opt source destination ports
> MASQ all ------ 10.0.0.0/24 anywhere n/a
> Chain output (policy ACCEPT):
>
> My concern is... Am I blocking my own packets some how? FYI I do have a
> domain here but the NS is being hosted elsewhere.
>
> --
> Warren Sanders
> http://MontanaLinux.Org
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
--
John Hernandez, Network Engineer --------------------------------------
US Department of Commerce tel: 303-497-6392
NOAA/OAR - Mailstop R/OM12 fax: 303-497-6005
325 Broadway e-mail: John.Hernandez at noaa.gov
Boulder, CO 80303 http://boulder.noaa.gov
-----------------------------------------------------------------------
More information about the LUG
mailing list