[Leaf-devel] ES3 suggestion

Scott C. Best Sat, 02 Jun 2001 20:57:52 -0700
Charles:

        Heya. Since you suggested some enhancements to ES3
before it's released, I wanted to suggest some of my own.
Little things, in specific regard to the firewall setup
scripts. My intent is to eliminate some of the FAQ support
questions that come up on the list.

1.  First, when it refreshes, I'm not sure that
    it flushes the rules *and* the portfw's/autofw's.
    I could be wrong here, but I think it only flushes
    the ipchains rules and doesn't touch what was
    previously setup with ipmasqadm.

2.  Given the increased popularity of ISPs giving out
    RFC-1918 private addresses with DHCP and then static
    NAT'ing them, I think part of the firewall setup which
    blocks the RFC-1918 address specifically should be 
    dropped.

3.  Many of the trojan's I've read about use blind-attacks
    where a response from the target isn't needed. So the
    attacker can spoof the return IP address, and they
    often choose from the reserve-address range (and use
    the "eleet" port of 31337). Anyhow. as per CIAC alert
    K-032, I think the following reserved address traffic
    should be blocked explicitly:

$IPCHAINS -A input -i $IF_EXT -b -s 0.0.0.0/8 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 169.254.0.0/16 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 192.0.2.0/24 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 224.0.0.0/4 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 240.0.0.0/5 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 248.0.0.0/5 -j DENY

4.  Lastly, at the end of the setup script, some "noise
    blocker" rules should be stuck in. This helps eliminate
    log file buildup (and the risk of resulting tooth 
    decay...). Since they're at the very end, they not 
    interfering with normal op's that would have been setup 
    earlier.

$IPCHAINS -A input -i $IF_EXT -d 255.255.255.255 -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p tcp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p udp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p tcp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p udp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 67 -p udp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 68 -p udp -j DENY


        That's it. Please let me know what you think. Of 
course, I'd be willing to do the dirty work of editing the 
scripts and tar'ing them up for the inclusion in the new 
release. Just wanted to be sure the above has enough perceived
value.

cheers,
Scott


_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] ES3 suggestion

Reply via email to
