There are a number of things you can do here.
First of all, these freakin IIS worms will continue to drive you and the
rest of us nuts, so, if you are not running a web server in your network
insert the following rules into your input chain to silently deny these
probes without logging them:
ipchains -I input -j DENY -p tcp -d 0/0 80 -i eth0
ipchains -I input -j DENY -p udp -d 0/0 80 -i eth0
Note there is no -l option therefore these rules will not log - saves on
your logs filling up with useless garbage. If the ramdisk fills up, the
router will die. I found this out the hard way a long time ago - consider
moving /var/log to a second ramdisk - replacing your log.lrp with ramlog.lrp
from dachstein is not too difficult.
Secondly, the weblet package is configurable - set the threshholds higher
for firewall warnings and errors in /etc/weblet.conf. They are by default
set to trip at 5 and 50 deny/reject packets, repsectively.
----- Original Message -----
From: "Jeff Newmiller" <[EMAIL PROTECTED]>
To: "Cam Bremner" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, September 23, 2001 10:41 PM
Subject: Re: [Leaf-user] need help w/ LRP FW rules and Logging ?
> On Sun, 23 Sep 2001, Cam Bremner wrote:
>
> > Hello,
> >
> > I am using the Eigerstein2Beta image to share my cable modem using
> > DHCP. It's all working wonderfully, but I'm wondering how to
> > configure either the firewall rules or the log thresholds, whichever
> > is more appropriate for my situation. The status page is showing a
> > firewall error in a big scary red box, and the logs are full of the
> > following:
> >
> > 1) what exactly is this ?
>
> Attempts to connect to port 80 on your external interface.
>
> Most likely from NIMDA, and yours is among the millions of ip addresses
> being pounded on these days in this fashion. It is unlikely that anyone
> is singling you out.
>
> > 2) how can I make it not freak out if this is normal ?
>
> The webpage? someone else will have to answer that.
>
> > 3) when the logs get big, what happens ? are the purged ? does the
> > router run out of memory and die ?
>
> There are settings that determine the log rotation schedule
> (/etc/lrp.conf, I think). Most are set to rotate once per day. The
> rotation shifts the logs in /var/log to .0, then to .1.gz, then .2.gz, and
> finally 3.gz, and then are deleted. So you get four days of logs, but you
> have to zcat|more the older ones to look at them.
>
> If you get hit hard enough, your ramdisk may fill up. This may impair the
> routing function somewhat, though the most noticeable effect will probably
> be that your web page probably won't appear, and you will may not be able
> to log in.
>
> [...]
>
> --------------------------------------------------------------------------
-
> Jeff Newmiller The ..... ..... Go
Live...
> DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live
Go...
> Live: OO#.. Dead: OO#.. Playing
> Research Engineer (Solar/Batteries O.O#. #.O#. with
> /Software/Embedded Controllers) .OO#. .OO#.
rocks...2k
> --------------------------------------------------------------------------
-
>
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
>
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
