RE: ipf not blocking? am i too paranoid?
This is a discussion on RE: ipf not blocking? am i too paranoid? within the IPFilter forums, part of the System Security and Security Related category; Assuming you have two interfaces on your box and the ne0 interface is the external facing interface.... Also, assuming you ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-28-2003
|
|||
|
|||
RE: ipf not blocking? am i too paranoid?
Assuming you have two interfaces on your box and the ne0 interface is the
external facing interface.... Also, assuming you have not turned off the default allow policy which is usually in place in the various kernels........ Your rules as they stand and based on the above assumptions are only blocking certain IP ranges and not all traffic. You may have to add a block in all and block out all rule to the front end of your rules to try to cover off those things not covered by your quick rules. HTH Russell -----Original Message----- From: owner-ipfilter@coombs.anu.edu.au [mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Amadeus Sent: Sunday, November 16, 2003 12:07 AM To: ipfilter@coombs.anu.edu.au Subject: ipf not blocking? am i too paranoid? Hello I have a question about some strange traffic on an external interface: 192.168.071.223 239.255.255.250 17 32768 1900 0 594 0 2 192.168.071.243 239.255.255.250 17 32768 1900 0 594 0 2 192.168.071.248 239.255.255.250 17 32768 1900 0 594 0 2 192.168.076.047 239.255.255.250 17 32768 1900 0 296 0 1 from ipaudit (the source nor the destination is ours). Is this legitimate traffic? What kind of ports are those (32768 1900)? Anyway I have the following ipf: block in log quick on ne0 from 192.168.0.0/16 to any block in log quick on ne0 from 172.16.0.0/12 to any block in log quick on ne0 from 10.0.0.0/8 to any block in log quick on ne0 from 127.0.0.0/8 to any block in log quick on ne0 from 0.0.0.0/8 to any block in log quick on ne0 from 169.254.0.0/16 to any block in log quick on ne0 from 192.0.2.0/24 to any block in log quick on ne0 from 204.152.64.0/23 to any block in log quick on ne0 from 224.0.0.0/3 to any block out log quick on ne0 from 192.168.0.0/16 to any block out log quick on ne0 from 172.16.0.0/12 to any block out log quick on ne0 from 10.0.0.0/8 to any block out log quick on ne0 from 127.0.0.0/8 to any block out log quick on ne0 from 0.0.0.0/8 to any block out log quick on ne0 from 169.254.0.0/16 to any block out log quick on ne0 from 192.0.2.0/24 to any block out log quick on ne0 from 204.152.64.0/23 to any block out log quick on ne0 from 224.0.0.0/3 to any block in on ne0 from any to any head 100 And I have no "pass in (quick)" rules at all - so why is this traffic passing? The only out rules I have are for a bunch of standard ports, not the above... Also I'm getting the following every second or two from ipmon (so ipf IS blocking them:) 16/11/2003 13:13:54.429224 ne0 @0:4 b 192.168.76.47,32768 -> 239.255.255.250,1900 PR udp len 20 282 IN 16/11/2003 13:14:14.606964 ne0 @0:4 b 192.168.71.248,32768 -> 239.255.255.250,1900 PR udp len 20 283 IN 16/11/2003 13:14:19.975369 ne0 @0:4 b 192.168.71.247,32768 -> 239.255.255.250,1900 PR udp len 20 283 IN Is any of the above normal? Am I being too paranoid? Thanks, Amadeus -- poff@sixbit.org SDF Public Access UNIX System - http://sdf.lonestar.org ************************************************** ********************* Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message along with any accompanying attachments. ************************************************** ********************* 
|
Linear Mode
