Firewall Questions
Kevin Brown
kevin_brown@uswest.net
Fri, 21 Jul 2000 23:28:17 -0700
You could just deny all packets destined for 255.255.255.255
ipchains -A input -j DENY -d 255.255.255.255 -i eth1
I'm not completely familiar with what exactly what the 255.255.255.255 ip is for
(Broadcast address???) Need to pick me up the TCP/IP book.
Try to reverse DNS the source addresses to see if that helps give you any
information about them.
> David Demland wrote:
>
> I have now got a big part of my log file problems taken care of, I hope. Since
> I was getting many DENY from just a few common IP I spent time trying to see
> what was in common so I could remove so many logs from these IPs. This is what
> I found:
>
> 1. - There were four common IPs: 200.*.*.*, 24.*.*.*, 169.*.*.*, and 10.*.*.*.
> All four of these had one thing in common, the return IP. This was
> 255.255.255.255. I thought that the return IP was nothing more than a mask. So
> I added a deny line for each IP that look like:
>
> ipchains -A input -j DENY -s 200.0.0.0/8 -d 255.255.255.255 - eth1
>
> This has seemed to removed so many entries in my log file. Could this be a
> problem later on?
>
> 2. - Now that I have been able to "clean up" my log file I have been able to
> see the following in the log:
>
>
> Jul 20 18:25:21 localhost kernel: Packet log: input DENY eth1 PROTO=17
> 24.1.224.10:121 24.1.231.255:121 L=50 S=0x00 I=46385 F=0x0000 T=30 (#39)
>
> In this case the source IP and the destination IP seem to be valid. Any ideas
> on what I should do? I know that these IPs are on the Cox network so does this
> mean that Cox is checking on something or someone on the Cox network is
> looking for something?
>
>
>
> 3. - There are now a couple of IPs that have the return IP of 255.255.255.255
> that I did not notice before. Should I do the same with each of these IPs or
> not?
>
>
>
> Thank You,
>
>
>
> David Demland