On Fri, 3 Jun 2005, fbsd_user wrote:
I am running ipfilter firewall and I ran test to see who gets access
to the packet first (IE: firewall or route command). Normally I have
inbound FTP port 21 denied in my firewall. I changed that rule to
allow and log so I could see all the packets flow through. I had
buddy run FTP to my server over public internet.
Pass-1. log shows passive ftp access to my server from public
internet.
Pass-2. First I issued route blackhole command on ip address of
friends system. Then had friend run same FTP access request to my
server. This time firewall log still shows inbound packet on port 21
passing in and out but friends FTP session says connection error.
Pass-3. did route delete for ip address and had test rerun and ftp
worked like expected.
Conclusion. The route blackhole command gets control after being
allowed through firewall. Since IPFW and PF access the packet the
same way IPFilter does this hold true for all of them.
This short answer is I don't know but it's possible it's the same.
The use of the route blankhole command is a specific solution for
circumstances where the stand public port number can not be changed
to some port number so it's not attacked. I now understand why it's
a perfect workaround for your ssh attack problem.
Based on the feedback I got the route command uses a non linear type of
database where as IPFW is just a linear list.
My list of IPs to blackhole is around 400 and growing. That's why in my
case I continue to use route/blackholing.
PS. I have been using the abuse-reporting-scripts to report this
kind of stuff to the ISP who owns the attackers IP address. This has
resulted in many ISP's terminating the attackers account.
You can download the abuse-reporting-scripts from
http://www.unixguide.net/freebsd/fbsd_installguide/index.php
Thanks for the link. Didn't know about those, however I often check the IP
of the attacker to see where in the world they are coming from and a large
number of IPs are coming from china. Not sure how responsive the ISPs
there will be.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
