On Thu 06 Mar 2003 22:13, allen posted as excerpted below: > Keywords "SHOULD NOT" > > I have caught some of these coming through my cable modem once I noticed > that my machine responds to more than just 127.0.0.1... I blocked off the > whole 127.0.0.x and then noticed some crap coming through my external > adapter to 127.0.0.x where x <> 1. Talk about yer mind opening security > experiences...
Cable modem.. Cool.. Same here.. I always recommend, and run, both a software firewall, such as Mdk's shorewall with the kernel's netfilters, and a hardware NAPT based device, either appliance or dedicated machine, in front of my LAN (which is really just a single computer, but..). To do otherwise is simply irresponsible, IMO, and there's been a couple times when I've been VERY glad I was running it. (Once was an upgrade to CUPS with a new security setting in the rc file, only the new one was of course saved as .rpmnew, so the new setting didn't get automatically merged. My machine was broadcasting CUPS inquiries. I caught it when I did a log-all-LAN on the router, and fixed it ASAP thereafter. I was VERY glad I had the router in front of me, saving me from spewing that noise onto my ISP's subnet, when I found it.) BTW, those 127/8s coming in the cable modem almost certainly were from your local node/subnet. Routers shouldn't know where to route them even if they DID want to do so, so should just drop them. I have a hard time imagining anything configured to spit out 127/8 packets by default or accidentally, and still be decently functional, which means such packets have a VERY good chance of being deliberate hacking attempts. If it were me, I'd report it to [EMAIL PROTECTED], at least. That's pretty serious stuff.. To keep this sort of on topic.. Does shorewall check for this by default? If I read my config right, I have it being checked here, with source verification on, as well as specific per-interface IP subnet based permissions, but as many upgrades as I've done, along with my own tweaking, I haven't the foggiest if that's the default. Note two: I recently discovered that due to a misconfiguration, probably again due to upgrading in place and an update in the shipped defaults, shorewall wasn't filtering ANYTHING based on IP. The names of the default zones had changed, and the config files were out of sync with each other. Those that routinely update via URPMI, and do NOT yet routinely check all .rpmnew warnings, should double check this, particularly if you connect directly to the net w/o a dedicated hardware firewall or at least NAPT based gateway router in front of you. -- Duncan "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
