Re: Dropping network "noise"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Feb 13, 2005 at 09:28:41AM +0300, Mikhail Zotov wrote:
> Hello everybody,
> 
> I have a Linux machine (with a static routable IP address)
> connected to a windoops LAN.  As is known, there is certain
> "noise" in windoops networks, which can be silently dropped
> by a rule like this:
> 
> iptables -A INPUT -p udp --dport 135:139 -j DROP
> 
> I have found that this "noise" can also be effectively blocked
> by the following rule:
> 
> iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP
> 
> I haven't noticed anything going wrong yet, still I'd like to
> know: Does this rule have a (potential) drawback?  Can it break
> anything in case I have NFS or obtain IP address via DHCP or
> in any other situation?
> 
> A similar question goes for the case of a Linux router/gateway
> protecting a LAN (with machines with routable IP addresses).
> Can the following rules do any harm?
> 
> iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP
> iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP

you can also use the pkttype match to drop broadcast/multicast traffic,
without having to calculate the broadcast address for every interface,
and having another rule for the all-ones broadcast:

  -m pkttype --pkt-type broadcast -j DROP
  -m pkttype --pkt-type multicast -j DROP

-j

--
"Boy, if you want anything in this life, you have to work for it. Now
 be quiet while I listen for these lottery numbers."
        --The Simpsons


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux