Hi, I am setting up ipfilter on an existing server. I eventually want to default to block for all inbound traffic, only allowing certain services based on specific pass rules. As this is an established server I am very nervous of doing this until I am certain that all valid traffic is being accepted. I have been running this for a while now, logging any traffic that 'falls through' the bottom of my ruleset. I have been getting some packets passing through with a source port of 25, with flags of Ack/Fin, mainly from servers which seem to be AOL mx servers. I have been hunting around the net, which gives me the impression that these could be ignored, but I haven't found anything that makes me certain of that.
Would someone have a look at these lines from the log and explain what they are and why they aren't being caught by the rules below? Can I ignore them and allow them to be blocked by default? ----- Relevant lines from ipf.conf ----- # Default to block all block in all # SMTP pass in quick proto tcp from any to 128.40.182.5/32 port = 25 flags S keep state keep frags # During testing pass anything that gets this far pass in all # Log any traffic that falls through this far log in all ----- ipf.conf ----- ----- Sample lines from log ----- 08/04/2005 09:54:36.397670 iprb0 @0:27 L 205.188.158.57,25 -> 128.40.182.5,44904 PR tcp len 20 52 -AF IN 08/04/2005 09:55:23.491951 iprb0 @0:27 L 205.188.158.25,25 -> 128.40.182.5,45010 PR tcp len 20 52 -AF IN 08/04/2005 09:55:27.648246 iprb0 @0:27 L 205.188.158.25,25 -> 128.40.182.5,45010 PR tcp len 20 52 -AF IN 08/04/2005 09:55:35.967539 iprb0 @0:27 L 205.188.158.25,25 -> 128.40.182.5,45010 PR tcp len 20 52 -AF IN ----- Sample lines from log ----- Many thanks -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "It is easy to be blinded to the essential uselessness of computers by the sense of accomplishment you get from getting them to work at all." -- Douglas Adams
