Good topic. I've read a CERT that states that ISP should practice being good net citizen by not allowing packets with spoofed IP addresses to leave there networks.
Maybe I'm a little naive, but if everyone did this, wouldn't this prevent the majority of hack attacks? Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel F. Chief Security Engineer - Sent: Monday, March 25, 2002 2:31 PM To: Netfilter - Mail list Subject: Being a good netezen, with iptables. This may be more philosophical than technical. I have several gateway firewalls using iptables : ) Big ones each one can see at peak around 100+ Mbs. I have many rules for ports that are filtered to REJECT with am ICMP port or host unreachable. From time to time I get e-mails from other _admins_ saying "Your IP xxx.xxx.xxx.xxx is attacking us" some of them include packet logs showing the ICMP packets coming from my firewall. So basically I tell them to check out their own system as I know my firewalls are secure(of course i check them out every time because Im paranoid). Telling them that it is possible that some one spoofed their IP while sending me packets. But it could be port scanners who may own the other guys box or have an account there which allows them to portscan. By using the REJECTS to me seems it would possibly draw attention to these systems that are doing such naughty things when a netadmin hopefully sees the potentially hundreds of ICMP port unreachable coming in to his network headed for one machine. I know I have filters setup to see this kind of stuff and alert me to the possibility of a compromised machine. Im not trying to start a _Holy_war_ between DROP and REJECT fans, Just wondering what the consenses is here. What should a good netezen do these days. TIA -- Chief Security Engineer | Daniel Fairchild [EMAIL PROTECTED] Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
