Firewall Questions

[Kevin Brown]

You could just deny all packets destined for 255.255.255.255
	ipchains -A input -j DENY -d 255.255.255.255 -i eth1

I'm not completely familiar with what exactly what the 255.255.255.255 ip is for
(Broadcast address???)  Need to pick me up the TCP/IP book.

Try to reverse DNS the source addresses to see if that helps give you any
information about them.

> David Demland wrote:
> 
> I have now got a big part of my log file problems taken care of, I hope. Since
> I was getting many DENY from just a few common IP I spent time trying to see
> what was in common so I could remove so many logs from these IPs. This is what
> I found:
> 
> 1. - There were four common IPs: 200.*.*.*, 24.*.*.*, 169.*.*.*, and 10.*.*.*.
> All four of these had one thing in common, the return IP. This was
> 255.255.255.255. I thought that the return IP was nothing more than a mask. So
> I added a deny line for each IP that look like:
> 
>     ipchains -A input -j DENY -s 200.0.0.0/8 -d 255.255.255.255 - eth1
> 
> This has seemed to removed so many entries in my log file. Could this be a
> problem later on?
> 
> 2. - Now that I have been able to "clean up" my log file I have been able to
> see the following in the log:
> 
> 
> Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 24.1.224.10:121 24.1.231.255:121 L=50 S=0x00 I=46385 F=0x0000 T=30 (#39)
> 
> In this case the source IP and the destination IP seem to be valid. Any ideas
> on what I should do? I know that these IPs are on the Cox network so does this
> mean that Cox is checking on something or someone on the Cox network is
> looking for something?
> 
> 
> 
> 3. - There are now a couple of IPs that have the return IP of 255.255.255.255
> that I did not notice before. Should I do the same with each of these IPs or
> not?
> 
> 
> 
> Thank You,
> 
> 
> 
> David Demland