El dom, 13-02-2005 a las 15:54 -0500, R. DuFresne escribiÃ: > On Sun, 13 Feb 2005, Jose Maria Lopez Hernandez wrote: > > > El dom, 13-02-2005 a las 15:09 +0200, Georgi Alexandrov escribiÃÂ: > > > Jose Maria Lopez Hernandez wrote: > > > > > > >El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribiÃÂ: > > > > > > > > > > > >>Hello everybody, > > > >> > > > >>I have a Linux machine (with a static routable IP address) > > > >>connected to a windoops LAN. As is known, there is certain > > > >>"noise" in windoops networks, which can be silently dropped > > > >>by a rule like this: > > > >> > > > >>iptables -A INPUT -p udp --dport 135:139 -j DROP > > > >> > > > >> > > > > > > > >That's OK, but also DROP port 445 because there's also a great > > > >amount of traffic in that port. > > > > > > > > > > > > > > > How exactly is that OK ? i guess you don't have anything listening on > > > 135-139/udp, right ? > > > > The OP *wanted* to DROP that ports, and their rules were OK. That's > > all I said. And have in mind that even if you are not listening in > > those ports you are responding RST-ACK packets if you don't DROP the > > connections. I have to DROP the 445 packets from the Internet because > > they cause my machine to send traffic I don't want to be sent. > > > > > So you won't "save" any traffic with a rule like that, that's how > > > ethernet works. > > > > You save the RST-ACK responses, if I'm not wrong. > > > > > The only point in a rule like that maybe is - if you are logging not > > > matched packets at the end of the filter table/INPUT chain and don't > > > want your logs flooded by that broadcast traffic. > > > > That's right. But if you want to DROP the Netbios packets also > > there's nothing wrong with it. > > > > > >If you are don't want to receive traffic your broadcast it's OK. > > > > > > > > > > > same thing here ... you will receive that broadcast traffic no matter > > > what. dropping it won't help. > > > > Same reason that before. You receive the packets, but you don't > > answer to them. > > Two of the rules could be replace with sysctl statements; > > #prevent spoofs > > echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter Sure it will work... if the traffic is spoofed. The OP was talking about traffic from it's own LAN. > # prevent being used in bradcast storms > > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts This only prevent ICMP broadcasts, if you want to stop UDP broadcast traffic you need another rules. > Or am I mistaken here? I think so, but it's just my opinion. > Thanks, > > Ron DuFresne Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
