On Sun, 13 Feb 2005, Jose Maria Lopez Hernandez wrote:
> El dom, 13-02-2005 a las 15:09 +0200, Georgi Alexandrov escribió:
> > Jose Maria Lopez Hernandez wrote:
> >
> > >El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
> > >
> > >
> > >>Hello everybody,
> > >>
> > >>I have a Linux machine (with a static routable IP address)
> > >>connected to a windoops LAN. As is known, there is certain
> > >>"noise" in windoops networks, which can be silently dropped
> > >>by a rule like this:
> > >>
> > >>iptables -A INPUT -p udp --dport 135:139 -j DROP
> > >>
> > >>
> > >
> > >That's OK, but also DROP port 445 because there's also a great
> > >amount of traffic in that port.
> > >
> > >
> > >
> > How exactly is that OK ? i guess you don't have anything listening on
> > 135-139/udp, right ?
>
> The OP *wanted* to DROP that ports, and their rules were OK. That's
> all I said. And have in mind that even if you are not listening in
> those ports you are responding RST-ACK packets if you don't DROP the
> connections. I have to DROP the 445 packets from the Internet because
> they cause my machine to send traffic I don't want to be sent.
>
> > So you won't "save" any traffic with a rule like that, that's how
> > ethernet works.
>
> You save the RST-ACK responses, if I'm not wrong.
>
> > The only point in a rule like that maybe is - if you are logging not
> > matched packets at the end of the filter table/INPUT chain and don't
> > want your logs flooded by that broadcast traffic.
>
> That's right. But if you want to DROP the Netbios packets also
> there's nothing wrong with it.
>
> > >If you are don't want to receive traffic your broadcast it's OK.
> > >
> > >
> > same thing here ... you will receive that broadcast traffic no matter
> > what. dropping it won't help.
>
> Same reason that before. You receive the packets, but you don't
> answer to them.
Two of the rules could be replace with sysctl statements;
#prevent spoofs
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# prevent being used in bradcast storms
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Or am I mistaken here?
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
...Love is the ultimate outlaw. It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice. Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question. The words
"make" and "stay" become inappropriate. My love for you has no
strings attached. I love you for free...
-Tom Robins <Still Life With Woodpecker>
