> 1. First, when it refreshes, I'm not sure that
> it flushes the rules *and* the portfw's/autofw's.
> I could be wrong here, but I think it only flushes
> the ipchains rules and doesn't touch what was
> previously setup with ipmasqadm.
I'll check this.
> 2. Given the increased popularity of ISPs giving out
> RFC-1918 private addresses with DHCP and then static
> NAT'ing them, I think part of the firewall setup which
> blocks the RFC-1918 address specifically should be
> dropped.
While I still think the private IP's should be blocked by default, there
should be an easy way to disable a particular range, and documentation on
the fact that this might be required. I'll add a way to do this in the new
firewall scripts.
> 3. Many of the trojan's I've read about use blind-attacks
> where a response from the target isn't needed. So the
> attacker can spoof the return IP address, and they
> often choose from the reserve-address range (and use
> the "eleet" port of 31337). Anyhow. as per CIAC alert
> K-032, I think the following reserved address traffic
> should be blocked explicitly:
>
> $IPCHAINS -A input -i $IF_EXT -b -s 0.0.0.0/8 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 224.0.0.0/4 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 240.0.0.0/5 -j DENY
The above IP's are already blocked...
> $IPCHAINS -A input -i $IF_EXT -b -s 169.254.0.0/16 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 192.0.2.0/24 -j DENY
> $IPCHAINS -A input -i $IF_EXT -b -s 248.0.0.0/5 -j DENY
I'll check into blocking these IP's as well...
> 4. Lastly, at the end of the setup script, some "noise
> blocker" rules should be stuck in. This helps eliminate
> log file buildup (and the risk of resulting tooth
> decay...). Since they're at the very end, they not
> interfering with normal op's that would have been setup
> earlier.
>
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p tcp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p udp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p tcp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p udp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 67 -p udp -j DENY
The above are already blocked w/o logging (along with a few more netbios
ports: 135 & 139)...
> $IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 68 -p udp -j DENY
> $IPCHAINS -A input -i $IF_EXT -d 255.255.255.255 -j DENY
Again, I'll look into blocking these IP's as well...
> That's it. Please let me know what you think. Of
> course, I'd be willing to do the dirty work of editing the
> scripts and tar'ing them up for the inclusion in the new
> release. Just wanted to be sure the above has enough perceived
> value.
I need to fold my extended V1.0 & V1.1 functionality together with my latest
proxy-arp DMZ scripts, so I can make the mods, but pointers to any RFC's or
other docs that refer to the new subnet ranges you think should be blocked
would be helpful...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
