Thomas,
I have been listening to this list for sometime now. I have a question.. Why is
it that you list IPCHAINS command twice? I see what it is doing, you are blocking
the port, and then logging it. Could not just type it once? Or is there a specific
reason for the second time??
Thank you for the information.
Steven
NewBee
*********** REPLY SEPARATOR ***********
On 1/4/2001 at 13:51 Burke, Thomas G. wrote:
>Why not just reject packets on the port where they scan? I imagine they
>usually scan the same port number.
>
>ie:
># Back Orifice
>$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
>$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
>
>This blocks the entire outside world from accessing port 31337 (and logs it)
>
>I think you can use port ranges by using a hyphen, but I'm not absolutely
>sure 'bout that. That'd be of the form:
>
>$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY
>$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY
>
>Although, I imagine that might break a lot of stuff...
>
>There is also a destination port argument, but I'm not sure if this'll work:
>$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET -dport 0-500 -j
>DENY
>
>Actually, I'd imagine this one'd be closer:
>$IPCHAINS -A input -l -p tcp -i $EXTERNAL_IF --destination-port 0-500 -j
>DENY
>$IPCHAINS -A input -l -p udp -i $EXTERNAL_IF --destination-port 0-500 -j
>DENY
>
>I hve no way to test this at the moment, but these are my inclinations...
>Anyone else have any inputs?
>
>
>
>> -----Original Message-----
>> From: Halcyon [SMTP:[EMAIL PROTECTED]]
>> Sent: Thursday, January 04, 2001 12:45 PM
>> To: [EMAIL PROTECTED]
>> Subject: blackhole firewall rules
>>
>> Hello, I'd like to be able to create a firewall rule that would drop all
>> packets coming to my Linux box from the home.net network if they are
>> trying
>> to open a port below say, 500.
>>
>> My reason for this being that for the past year, I've ran my own IMAP mail
>> server on my DSL and I've loved it. There's nothing more beautiful than
>> having procmail sort all your email on the server instead of having to use
>> a
>> client to sort. Unfortunately, the DSL is insanely expensive, so I need
>> to
>> move my server over to my cable modem and cancel the DSL. I've noticed
>> that
>> @home portscans pretty regularly, so I need to be discreet about my mail
>> server.
>>
>> I'm pretty sure that you can create some sort of rule with ipchains to
>> become invisible to @home and if anyone can help me out or help me help
>> myself, I'd greatly appreciate it.
>>
>> Thanks in advance,
>> Halcyon
>>
>>
>>
>> _______________________________________________
>> Redhat-list mailing list
>> [EMAIL PROTECTED]
>> https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
