Firewall Questions

Craig White CraigWhite@AzApple.com
Sat, 22 Jul 2000 10:05:20 -0700 

-----Original Message-----
From: plug-discuss-admin@lists.plug.phoenix.az.us
[mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of David
Demland
Sent: Friday, July 21, 2000 10:38 PM
To: PLUG Discuss
Subject: Firewall Questions


I have now got a big part of my log file problems taken care of, I hope.
Since I was getting many DENY from just a few common IP I spent time trying
to see what was in common so I could remove so many logs from these IPs.
This is what I found:

1. - There were four common IPs: 200.*.*.*, 24.*.*.*, 169.*.*.*, and
10.*.*.*. All four of these had one thing in common, the return IP. This was
255.255.255.255. I thought that the return IP was nothing more than a mask.
So I added a deny line for each IP that look like:

    ipchains -A input -j DENY -s 200.0.0.0/8 -d 255.255.255.255 - eth1

This has seemed to removed so many entries in my log file. Could this be a
problem later on?

2. - Now that I have been able to "clean up" my log file I have been able to
see the following in the log:

Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 PROTO=17
24.1.224.10:121 24.1.231.255:121 L=50 S=0x00 I=46385 F=0x0000 T=30 (#39)

In this case the source IP and the destination IP seem to be valid. Any
ideas on what I should do? I know that these IPs are on the Cox network so
does this mean that Cox is checking on something or someone on the Cox
network is looking for something?

3. - There are now a couple of IPs that have the return IP of
255.255.255.255 that I did not notice before. Should I do the same with each
of these IPs or not?

---
Much of what you are seeing is a DHCP request...

169.174.10.xxx broadcasting the entire subnet (255.255.255.255) - casting
about to be assigned an ip address by a DHCP server. It's excessive on Cox
wants to assign ip addresses on a fairly short lease - even though their
system is virtually a fixed ip address.

if you aren't running any servers (ftp/www/inbound mail etc), then block
everything and don't log anything and you are pretty much done. I have gone
to logging little on Cox@home/Cox@work connections since so much goes on and
the log grows like wildfire.

source addresses of 10.0.x.x, 192.168.x.x are typical of either a stupid
setup (many can be found on Cox's shared bandwidth) or blatant attempts to
stuff IP addresses and gain unauthorized access to poorly setup networks.

if you intend to discern the logged packet rejection activity, you will need
a list of port #'s/services so you can comprehend what's going on. Your
example lists port # 121 which I am not familiar with but some ports the
intent is obvious...

Craig