Thank you for your suggestions Charles. I think I will take the easy way on this and just add an extra computer on the internal side and go with port forwarding, I think I want to stay on the good side of the neighbors! LOL
> If you want to run LaBrea using a private space IP, you'll probably need > another Dachstein system to run it on. Then just stick it on your internal > network, and port-forward anything you want blocked to an unused IP on the > internal net. This is not a particularly clean solution, but may be easiest > if you don't understand netfilter rules, and have an extra machine handy. > You also have less chance of messing anything up this way, since LaBrea is > not directly connected to your upstream link... > > The cleaner way to do this is to setup LaBrea to listen on your external IP. > Any traffic that is DENIED by the firewall rules can be captured by LaBrea, > but you have to write filter rules for it. I experimented some with this, > but never got something I'd be happy packaging. > > PLEASE NOTE: LaBrea is an advanced networking tool, that talks *DIRECTLY* > to the network, and can potentially be VERY DANGEROUS to properly operating > networks. Please *DO NOT* run LaBrea if you don't feel comfortable you've > got a reasonable understanding of how it works. Remember, LaBrea is a tool > to to annoy port-scanners, which it does a very good job at. A bit of > mis-application, however, and you could inadvertently kill access to a good > chunk of your cable-modem segment, possibly keeping your friends and > neighbors offline until a cable-modem technician figures out he needs to > flush the arp-cache on your head-end router...anyone want to bet on exactly > how long that might take? > > With the disclaimer out of the way, the basic procedure would be: > > - Configure LaBrea to *NOT* capture IP addresses (you've only got a single > IP anyway, and while those on cable-modems might be able to grab additional > IP's, you should play nice with your neighbors and the cable company, and > grabbing extra IP's (even for tarpitting) would probably violate your terms > of use). > > Use the -x switch for LaBrea to disable IP address capturing > > - Stop the interface from running in promiscuous mode. Edit > /etc/init.d/LaBrea, and add a minus "-" in front of the promisc flag for the > ifconfig command. It should now read: "ifconfig eth0 -promisc" > > - Write a BPF (Berkeley Packet Filter) ruleset for the packets you want > LaBrea to see (and hence respond to). The traffic you want processed by > LaBrea should meet the following criteria: > > * Destined to your public IP > * TCP traffic > * Inbound packets will be *DENIED* by firewall rules > > For normal Dachstein systems, all "low" TCP ports (ie ports between 0 and > 1023 inclusive) meet this criteria, unless there are some you're actually > using (ie port-forwarding www, smtp, ssh, &c). A BPF file that does this > would be: > > dst host 1.2.3.4 > and tcp[2:2] & 0xfc00 == 0 > and not dst port (ssh or ftp or www) > > The first line matches your IP address (set 1.2.3.4 to whatever your IP > address is...you'll have to use a script to generate the BPF file if your IP > is dynamic). > > The second line matches all "low" TCP ports (ie the destination port field > of the TCP header is less than 1024). This rule also matches only TCP > traffic, since we specified a field in a TCP header. > > The third rule prevents any expected traffic from being matched, allowing > port-forwarded services to work properly. If you're not running any > services you can delete the last line...if you *ARE* running services, make > sure each is properly listed or strange things will happen. This example > system is running an ssh, ftp, and web server. Note you can also use > port-numbers...ie: (22 or 21 or 80) is identical to the above (ssh or ftp or > www). > > Charles Steinkuehler _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
