The 1st one is -p tcp, and the 2nd is -p udp (one to block tcp & one to
block udp datagrams)
> -----Original Message-----
> From: Steven Pierce [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, January 04, 2001 1:54 PM
> To: [EMAIL PROTECTED]
> Subject: RE: blackhole firewall rules
>
>
> Thomas,
>
> I have been listening to this list for sometime now. I have a question..
> Why is
> it that you list IPCHAINS command twice? I see what it is doing, you are
> blocking
> the port, and then logging it. Could not just type it once? Or is there
> a specific
> reason for the second time??
>
> Thank you for the information.
>
> Steven
> NewBee
>
> *********** REPLY SEPARATOR ***********
>
> On 1/4/2001 at 13:51 Burke, Thomas G. wrote:
>
> >Why not just reject packets on the port where they scan? I imagine they
> >usually scan the same port number.
> >
> >ie:
> ># Back Orifice
> >$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
> >$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
> >
> >This blocks the entire outside world from accessing port 31337 (and logs
> it)
> >
> >I think you can use port ranges by using a hyphen, but I'm not absolutely
> >sure 'bout that. That'd be of the form:
> >
> >$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY
> >$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY
> >
> >Although, I imagine that might break a lot of stuff...
> >
> >There is also a destination port argument, but I'm not sure if this'll
> work:
> >$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET -dport 0-500 -j
> >DENY
> >
> >Actually, I'd imagine this one'd be closer:
> >$IPCHAINS -A input -l -p tcp -i $EXTERNAL_IF --destination-port 0-500 -j
> >DENY
> >$IPCHAINS -A input -l -p udp -i $EXTERNAL_IF --destination-port 0-500 -j
> >DENY
> >
> >I hve no way to test this at the moment, but these are my inclinations...
> >Anyone else have any inputs?
> >
> >
> >
> >> -----Original Message-----
> >> From: Halcyon [SMTP:[EMAIL PROTECTED]]
> >> Sent: Thursday, January 04, 2001 12:45 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: blackhole firewall rules
> >>
> >> Hello, I'd like to be able to create a firewall rule that would drop
> all
> >> packets coming to my Linux box from the home.net network if they are
> >> trying
> >> to open a port below say, 500.
> >>
> >> My reason for this being that for the past year, I've ran my own IMAP
> mail
> >> server on my DSL and I've loved it. There's nothing more beautiful
> than
> >> having procmail sort all your email on the server instead of having to
> use
> >> a
> >> client to sort. Unfortunately, the DSL is insanely expensive, so I
> need
> >> to
> >> move my server over to my cable modem and cancel the DSL. I've noticed
> >> that
> >> @home portscans pretty regularly, so I need to be discreet about my
> mail
> >> server.
> >>
> >> I'm pretty sure that you can create some sort of rule with ipchains to
> >> become invisible to @home and if anyone can help me out or help me help
> >> myself, I'd greatly appreciate it.
> >>
> >> Thanks in advance,
> >> Halcyon
> >>
> >>
> >>
> >> _______________________________________________
> >> Redhat-list mailing list
> >> [EMAIL PROTECTED]
> >> https://listman.redhat.com/mailman/listinfo/redhat-list
> >
> >
> >
> >_______________________________________________
> >Redhat-list mailing list
> >[EMAIL PROTECTED]
> >https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
