Re: Dropping network "noise"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jose Maria Lopez Hernandez wrote:

El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribiÃ:


Hello everybody,

I have a Linux machine (with a static routable IP address)
connected to a windoops LAN.  As is known, there is certain
"noise" in windoops networks, which can be silently dropped
by a rule like this:

iptables -A INPUT -p udp --dport 135:139 -j DROP



That's OK, but also DROP port 445 because there's also a great
amount of traffic in that port.



How exactly is that OK ? i guess you don't have anything listening on 135-139/udp, right ?
So you won't "save" any traffic with a rule like that, that's how ethernet works.
The only point in a rule like that maybe is - if you are logging not matched packets at the end of the filter table/INPUT chain and don't want your logs flooded by that broadcast traffic.

I have found that this "noise" can also be effectively blocked
by the following rule:

iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP



Yes, it's a rule to prevent spoofing. It's OK *if* and *only if*
the $IP.ADDRESS.OF.MY_BOX it's really the IP address of your
box, and the *only* IP address of your box (you can have more
than one for various reasons).



I haven't noticed anything going wrong yet, still I'd like to
know: Does this rule have a (potential) drawback? Can it break
anything in case I have NFS or obtain IP address via DHCP or
in any other situation?



NFS doesn't have any problem, but if you receive your IP via
DHCP you must change the IP in the rule with the one received.
And also if you use Zeroconf you must have a rule to accept
the traffic for the Zeroconf IP.



A similar question goes for the case of a Linux router/gateway
protecting a LAN (with machines with routable IP addresses).
Can the following rules do any harm?

iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP



If you are don't want to receive traffic your broadcast it's OK.


same thing here ... you will receive that broadcast traffic no matter what. dropping it won't help.



iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP



And this it's another anti-spoofing rule. I'll tell you the same that
for the previous rule. It's OK if the $LAN.IP.ADDRESSES.RANGE it's OK.



Thanks in advance!

--
Mikhail



Regards.



regards,
Georgi Alexandrov


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux