Firewall Questions
Joseph T. Tannenbaum
tannenba@futureone.com
Sat, 22 Jul 2000 17:25:34 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_0000_01BFF401.D81A2540
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
David,
255.255.255.255 is a broadcast.
Joe
-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of David
Demland
Sent: Friday, July 21, 2000 10:38 PM
To: PLUG Discuss
Subject: Firewall Questions
I have now got a big part of my log file problems taken care of, I hope.
Since I was getting many DENY from just a few common IP I spent time trying
to see what was in common so I could remove so many logs from these IPs.
This is what I found:
1. - There were four common IPs: 200.*.*.*, 24.*.*.*, 169.*.*.*, and
10.*.*.*. All four of these had one thing in common, the return IP. This was
255.255.255.255. I thought that the return IP was nothing more than a mask.
So I added a deny line for each IP that look like:
ipchains -A input -j DENY -s 200.0.0.0/8 -d 255.255.255.255 - eth1
This has seemed to removed so many entries in my log file. Could this be a
problem later on?
2. - Now that I have been able to "clean up" my log file I have been able
to see the following in the log:
Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 PROTO=17
24.1.224.10:121 24.1.231.255:121 L=50 S=0x00 I=46385 F=0x0000 T=30 (#39)
In this case the source IP and the destination IP seem to be valid. Any
ideas on what I should do? I know that these IPs are on the Cox network so
does this mean that Cox is checking on something or someone on the Cox
network is looking for something?
3. - There are now a couple of IPs that have the return IP of
255.255.255.255 that I did not notice before. Should I do the same with each
of these IPs or not?
Thank You,
David Demland
------=_NextPart_000_0000_01BFF401.D81A2540
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3103.1700" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D600582400-23072000>David,</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D600582400-23072000>255.255.255.255 is a =
broadcast.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D600582400-23072000>Joe</SPAN></FONT></DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px">
<DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
plug-discuss-admin@lists.PLUG.phoenix.az.us=20
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]<B>On Behalf Of =
</B>David=20
Demland<BR><B>Sent:</B> Friday, July 21, 2000 10:38 PM<BR><B>To:</B> =
PLUG=20
Discuss<BR><B>Subject:</B> Firewall Questions<BR><BR></DIV></FONT>
<DIV><FONT face=3DArial size=3D2>I have now got a big part of my log =
file problems=20
taken care of, I hope. Since I was getting many DENY from just a few =
common IP=20
I spent time trying to see what was in common so I could remove so =
many logs=20
from these IPs. This is what I found:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>1. - There were four common IPs: =
200.*.*.*,=20
24.*.*.*, 169.*.*.*, and 10.*.*.*. All four of these had one thing in =
common,=20
the return IP. This was 255.255.255.255. I thought that the return IP =
was=20
nothing more than a mask. So I added a deny line for each IP that look =
like:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> ipchains -A input =
-j DENY -s=20
200.0.0.0/8 -d 255.255.255.255 - eth1</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This has seemed to removed so many =
entries in my=20
log file. Could this be a problem later on?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>2. - Now that I have been able to =
"clean up" my=20
log file I have been able to see the following in the =
log:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=3D2>
<P>Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 =
PROTO=3D17=20
24.1.224.10:121 24.1.231.255:121 L=3D50 S=3D0x00 I=3D46385 F=3D0x0000 =
T=3D30 (#39)=20
<BR><BR><FONT face=3DArial>In this case the source IP and the =
destination IP=20
seem to be valid. Any ideas on what I should do? I know that these IPs =
are on=20
the Cox network so does this mean that Cox is checking on something or =
someone=20
on the Cox network is looking for something?</FONT></P>
<P> </P>
<P><FONT face=3DArial>3. - There are now a couple of IPs that have the =
return IP=20
of 255.255.255.255 that I did not notice before. Should I do the same =
with=20
each of these IPs or not?</FONT></P>
<P> </P>
<P><FONT face=3DArial>Thank You,</FONT></P>
<P> </P>
<P><FONT face=3DArial>David=20
Demland</FONT></P></FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0000_01BFF401.D81A2540--