Re: [Leaf-devel] ES3 suggestion

Charles Steinkuehler Sun, 03 Jun 2001 14:38:23 -0700
> 1.  First, when it refreshes, I'm not sure that
>     it flushes the rules *and* the portfw's/autofw's.
>     I could be wrong here, but I think it only flushes
>     the ipchains rules and doesn't touch what was
>     previously setup with ipmasqadm.

I'll check this.

> 2.  Given the increased popularity of ISPs giving out
>     RFC-1918 private addresses with DHCP and then static
>     NAT'ing them, I think part of the firewall setup which
>     blocks the RFC-1918 address specifically should be
>     dropped.

While I still think the private IP's should be blocked by default, there
should be an easy way to disable a particular range, and documentation on
the fact that this might be required.  I'll add a way to do this in the new
firewall scripts.

> 3.  Many of the trojan's I've read about use blind-attacks
>     where a response from the target isn't needed. So the
>     attacker can spoof the return IP address, and they
>     often choose from the reserve-address range (and use
>     the "eleet" port of 31337). Anyhow. as per CIAC alert
>     K-032, I think the following reserved address traffic
>     should be blocked explicitly:
>
> $IPCHAINS -A input -i $IF_EXT -b -s 0.0.0.0/8 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 224.0.0.0/4 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 240.0.0.0/5 -j DENY

The above IP's are already blocked...

> $IPCHAINS -A input -i $IF_EXT -b -s 169.254.0.0/16 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 192.0.2.0/24 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 248.0.0.0/5 -j DENY

I'll check into blocking these IP's as well...

> 4.  Lastly, at the end of the setup script, some "noise
>     blocker" rules should be stuck in. This helps eliminate
>     log file buildup (and the risk of resulting tooth
>     decay...). Since they're at the very end, they not
>     interfering with normal op's that would have been setup
>     earlier.
>
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p tcp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p udp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p tcp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p udp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 67 -p udp -j DENY

The above are already blocked w/o logging (along with a few more netbios
ports: 135 & 139)...

> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 68 -p udp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 255.255.255.255 -j DENY

Again, I'll look into blocking these IP's as well...

> That's it. Please let me know what you think. Of
> course, I'd be willing to do the dirty work of editing the
> scripts and tar'ing them up for the inclusion in the new
> release. Just wanted to be sure the above has enough perceived
> value.

I need to fold my extended V1.0 & V1.1 functionality together with my latest
proxy-arp DMZ scripts, so I can make the mods, but pointers to any RFC's or
other docs that refer to the new subnet ranges you think should be blocked
would be helpful...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] ES3 suggestion

Reply via email to
