Re: iptables leaking blocked ip addresses.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday 20 June 2005 15:47, terry l. ridder wrote:
> > In the meantime I bet a few external nmap's of your IP would
> > give you some unpleasant surprises.
>
> you lose the bet.
> since you did not have the courage to post the results of an nmap of
> my network, i will.
>
> please see http://uuoc.com/?id=953 for the results of an external
> nmap of my network, 204.238.34.0/24.

Lack of courage, lack of interest, lack of will to be your unpaid 
security analyst, whatever. It's remarkable that you found that nmap 
acceptable, neither unpleasant nor surprising.

You certainly have won your arguments! People point to specific 
documented examples of why you're wrong, and you insist otherwise. 
Indeed I am convinced: writing to you is a waste of my time. Your 
arguments have been very persuasive in that regard.

For those who are playing along at home: I hope you looked at the 
poster's nmap results. It's a good example of a bad firewall. Here's 
one of mine:

(The 1654 ports scanned but not shown below are in state: filtered)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
113/tcp open  auth

And the iptables-save(8) rules that did this:

# Generated by iptables-save v1.2.8 on Mon Jun 20 23:26:37 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4102225:931569781]
:AllowFwd - [0:0]
:AllowIn - [0:0]
:Reject - [0:0]
:State - [0:0]
-A INPUT -j State
-A INPUT -j AllowIn
-A INPUT -j Reject
-A FORWARD -j State
-A FORWARD -j AllowFwd
-A FORWARD -j Reject
-A FORWARD -p tcp -j REJECT --reject-with icmp-port-unreachable
-A AllowFwd -s 192.168.6.0/255.255.255.0 -j ACCEPT
-A AllowFwd -d 192.168.6.0/255.255.255.0 -j ACCEPT
-A AllowFwd -o tun+ -j ACCEPT
-A AllowIn -p tcp -m tcp --dport 22 -j ACCEPT
-A AllowIn -p tcp -m tcp --dport 25 -j ACCEPT
-A AllowIn -p tcp -m tcp --dport 53 -j ACCEPT
-A AllowIn -p tcp -m tcp --dport 80 -j ACCEPT
-A AllowIn -p tcp -m tcp --dport 113 -j ACCEPT
-A AllowIn -p udp -m udp --dport 53 -j ACCEPT
-A AllowIn -i lo -j ACCEPT
-A AllowIn -p icmp -j ACCEPT
-A Reject -p tcp -j REJECT --reject-with icmp-port-unreachable
-A Reject -j DROP
-A State -m state --state INVALID -j DROP
-A State -m state --state RELATED,ESTABLISHED -j ACCEPT
-A State -i tun+ -j ACCEPT
COMMIT
# Completed on Mon Jun 20 23:26:37 2005
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux