-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 09 Jun 2003 at 08:36:03PM -0500, Jones wrote:
Phillip, I didn't post the entire file.
Sorry, that was so far up in the thread I lost track of it...
The default policy on the INPUT chain is DROP. I do allow incoming
Good
ssh ftp
On Sun, 08 Jun 2003 at 05:11:43PM -0500, Jones wrote:
can this weakness be fixed by having these lines in the iptables rules?
EXTERNAL_IF=eth0
# Log and drop incoming TCP connection establishment packets.
iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j LOG --log-prefix
TCP-SYN:
Assuming your default policy is drop or the last rule in your chain a
log/drop, then yes, the second rule would be redundant. Stick with rule
3 and ESTABLISHED/RELATED. Of course, no TCP based services on this
machine will work...
Phillip, I didn't post the entire file.
The default policy on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 09 Jun 2003 at 08:36:03PM -0500, Jones wrote:
Phillip, I didn't post the entire file.
Sorry, that was so far up in the thread I lost track of it...
The default policy on the INPUT chain is DROP. I do allow incoming
Good
ssh ftp
On Sun, 08 Jun 2003 at 05:11:43PM -0500, Jones wrote:
can this weakness be fixed by having these lines in the iptables rules?
EXTERNAL_IF=eth0
# Log and drop incoming TCP connection establishment packets.
iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j LOG --log-prefix
TCP-SYN:
Assuming your default policy is drop or the last rule in your chain a
log/drop, then yes, the second rule would be redundant. Stick with rule
3 and ESTABLISHED/RELATED. Of course, no TCP based services on this
machine will work...
Phillip, I didn't post the entire file.
The default policy on
No, it's not at all uncommon to see incoming traffic from well known
ports. It's an easy way to bypass weakly configured firewalls.
can this weakness be fixed by having these lines in the iptables rules?
EXTERNAL_IF=eth0
# Log and drop incoming TCP connection establishment packets.
iptables
No, it's not at all uncommon to see incoming traffic from well known
ports. It's an easy way to bypass weakly configured firewalls.
can this weakness be fixed by having these lines in the iptables rules?
EXTERNAL_IF=eth0
# Log and drop incoming TCP connection establishment packets.
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80) to multiple port numbers,
and usually multiple addresses as well. Sometimes they are randomised,
(Port
On Thu, Jun 05, 2003 at 08:29:10PM +0100, Hamish Marson wrote:
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80) to multiple port numbers,
and usually
In article [EMAIL PROTECTED]
[EMAIL PROTECTED] writes:
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80)
Some firewalls that don't do proper connection
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all uncommon to see incoming traffic from
Hamish Marson [EMAIL PROTECTED] writes:
I've noticed some strange traffic on our firewalls recently. Someone
(Or multiple someones) are attempting to send tcp packets inbound to
our network FROM well known ports (e.g. port 80) to multiple port
numbers, and usually multiple addresses as well.
Noah Meyerhans wrote:
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all uncommon
Hamish Marson [EMAIL PROTECTED] writes:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
work and look for similar
On Fri, Jun 06, 2003 at 10:12:05PM +0200, Florian Weimer wrote:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
Hamish Marson [EMAIL PROTECTED] writes:
I've noticed some strange traffic on our firewalls recently. Someone
(Or multiple someones) are attempting to send tcp packets inbound to
our network FROM well known ports (e.g. port 80) to multiple port
numbers, and usually multiple addresses as well.
Noah Meyerhans wrote:
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all
Hamish Marson [EMAIL PROTECTED] writes:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
work and look for similar
On Fri, Jun 06, 2003 at 10:12:05PM +0200, Florian Weimer wrote:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80) to multiple port numbers,
and usually multiple addresses as well. Sometimes they are randomised,
(Port
On Thu, Jun 05, 2003 at 08:29:10PM +0100, Hamish Marson wrote:
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80) to multiple port numbers,
and usually
In article [EMAIL PROTECTED]
[EMAIL PROTECTED] writes:
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80)
Some firewalls that don't do proper connection
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all uncommon to see incoming traffic from
24 matches
Mail list logo