Strange question maybe, but my ISP is @home and for several weeks I get loads of traffic (broadcasts) from an internal ip adres. I use SuSEfirewall and he logs all these packets perfectly. Only I don't want that because these packets arrive every second (!) so this way my logs are growing very fast. So until @home manages to stop the broadcasts from this individual I like not to log these packets. I guess it starts something like ipchains -A input -j DENY -s 192.168.0.1 -p udp -i eth1 but what should come after that. Bear in mind please that I also use SuSEfirewall who takes care of the logging. Should I edit the SuSEfirewall script to succeed? Any help is deeply appriciated, because I have to turn of syslogd because of this. TIA, -- SuSE Linux 6.4 -o) | Honk if you love peace and quiet. Kernel 2.2.15 /\ | on a i686 _\_v | mailto:frhart@home.nl |
<cut> Hello Frank, If you are connected to the internet with a 3com networkcard shipped with your @Home connection, you are very lucky, because there's a patch available in the newsgroup athome.nl.linux which cancle broadcast traffic on your networkcard. Believe it or not: you won't see any broadcast traffic anymore. That's the only solution I found so far.
So until @home manages to stop the broadcasts from this individual I like not to log these packets. I guess it starts something like
Cable Internet is a shared medium, not a point to point connection like internet by modem/isdn/etc. @Home won't stop broadcasters. A solution for your firewall, change IPCHAINS -F input -l to IPCHAINS -F input It stops logging incoming traffic what means you can turn on your syslogd again. Greetz, Siert
Cable Internet is a shared medium, not a point to point connection like internet by modem/isdn/etc. @Home won't stop broadcasters.
Sigh, no this is false. @home providers are basically a consortium to share advertising costs/etc, the technology used varies hugely. Some are quite bad, some are quite good. You generally don't hear about the good ones because users don't complain. -Kurt
Kurt, I have no idea what you are talking about. @home provides high speed internet access here in the United States using Cable television systems. Check out: www.home.com The company is largely owned by AT&T. Oh, btw, are you still maintaining the Linux System Administrators Guide? The site still says, "I am currently re-organizing the LASG a bit." It doesn't list a date when the last time it was update.
Cable Internet is a shared medium, not a point to point connection like internet by modem/isdn/etc. @Home won't stop broadcasters.
Sigh, no this is false. @home providers are basically a consortium to share advertising costs/etc, the technology used varies hugely. Some are quite bad, some are quite good. You generally don't hear about the good ones because users don't complain.
-Kurt
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Mon, 5 Jun 2000, Kurt Seifried wrote:
Cable Internet is a shared medium, not a point to point connection like internet by modem/isdn/etc. @Home won't stop broadcasters.
Sigh, no this is false. @home providers are basically a consortium to share advertising costs/etc, the technology used varies hugely. Some are quite bad, some are quite good. You generally don't hear about the good ones because users don't complain.
Ok, I agree. My apologize for not mentioning 'NL' because I do know some @Home providers in the USA which are pretty good. In the Netherlands much @Home members complain about wrong DNS entries, broadcast traffic, down e-mailservers, abuse, etc. We almost had a usenet death penalty a few months ago. The service from @Home in NL is really bad, the network quality to. I never had a reply on a complaint, my friends neither. Ok, this is probably getting off-topic, so I'll stop complaining at my ISP in this security mailinglist. It's just to show Frank that he should not suspect to much from @Home in the Netherlands and that the only solution (i know) is patching your 3com networkcard driver. If anyone knows a solution to stop seing broadcast traffic, I am listening... Regards, Siert -- Usefull information for @Home NL Members Troubles@Home http://members.home.nl/gebruikers Newsgroups athome.nl.linux, athome.nl.netwerk, athome.nl.security
"S.G. Zijl" wrote:
If you are connected to the internet with a 3com networkcard shipped with your @Home connection, you are very lucky, because there's a patch available in the newsgroup athome.nl.linux which cancle broadcast traffic on your networkcard. Believe it or not: you won't see any broadcast traffic anymore.
That's the only solution I found so far.
But this won't work for you cause you don't have a 3com, right ? ;-) (I've seen you're posts about this problem too). But I don't think I want to use a hacked 3com driver. Just change the firewall script.
A solution for your firewall, change
IPCHAINS -F input -l
to
IPCHAINS -F input
It stops logging incoming traffic what means you can turn on your syslogd again.
Ok, but I don't want to stop logging incoming traffic. I want to stop logging a specific IP on a specifig port. O well, just called @home for the 34657 time about this problem. They are getting more serious about this every day now ;-) -- SuSE Linux 6.4 -o) | This is National Non-Dairy Creamer Week. Kernel 2.2.15 /\ | on a i686 _\_v | mailto:frhart@home.nl |
I have SuSEfirewall running on SuSE 6.2. I have noticed in /var/log/messages that when sending mail I get a series (three or four) of denied packets from port 3 on the linux box to port 3 on the receiving mail server, such as: Jun 6 06:43:01 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx.4:3 208.31.42.43:3 L=108 S=0xC0 I=10508 F=0x0000 T=255 (#3) Jun 6 06:43:03 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx:3 208.31.42.43:3 L=108 S=0xC0 I=10509 F=0x0000 T=255 (#3) Jun 6 06:43:07 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx.4:3 208.31.42.43:3 L=108 S=0xC0 I=10510 F=0x0000 T=255 (#3) Jun 6 06:43:15 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx.4:3 208.31.42.43:3 L=108 S=0xC0 I=10511 F=0x0000 T=255 (#3) Does anyone know what this is? I can't see port 3 in /etc/services. Should I open it up in the firewall? Many thanks Andrew -- Andrew Hougie, Grinton, Aldenham Grove, Radlett, Hertfordshire, England, WD7 7BW Email: andrew@hougie.co.uk WWW: http://www.hougie.co.uk
I have SuSEfirewall running on SuSE 6.2. I have noticed in /var/log/messages that when sending mail I get a series (three or four) of denied packets from port 3 on the linux box to port 3 on the receiving mail server, such as:
Jun 6 06:43:01 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx.4:3 208.31.42.43:3 L=108 S=0xC0 I=10508 F=0x0000 T=255 (#3) Jun 6 06:43:03 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx:3 208.31.42.43:3 L=108 S=0xC0 I=10509 F=0x0000 T=255 (#3) Jun 6 06:43:07 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx.4:3 208.31.42.43:3 L=108 S=0xC0 I=10510 F=0x0000 T=255 (#3) Jun 6 06:43:15 celebrity kernel: Packet log: output DENY eth0 PROTO=1 xxx.xx.xxx.4:3 208.31.42.43:3 L=108 S=0xC0 I=10511 F=0x0000 T=255 (#3)
Does anyone know what this is? I can't see port 3 in /etc/services. Should I open it up in the firewall?
Look at the PROTO=1 statement, this means it's an ICMP type 3 packet, not a TCP (PROTO=6) packet for Port 3. ICMP type 3 means "Destination unreachable". Look at RFC 792 for further information about ICMP and these types. Ulf ____________________________________ Ulf Leichsenring Lufthansa Systems AS GmbH Schützenwall 1 D-22844 Norderstedt Tel.: +49-40-5070-7859 Fax: +49-40-5070-7880 mailto:uleichsenring@lhsystemsas.de Internet: http://www.lhsystemsas.de
On Mon, 5 Jun 2000, Frank Hart wrote: <cut>
That's the only solution I found so far.
But this won't work for you cause you don't have a 3com, right ? ;-) (I've seen you're posts about this problem too). But I don't think I want to use a hacked 3com driver. Just change the firewall script.
Exactly, I have to hack the tulip driver to stop _seeing_ broadcasts in, for example: tcpdump. <cut>
Ok, but I don't want to stop logging incoming traffic. I want to stop logging a specific IP on a specifig port.
Alright, some example's: # This will block the entinre remotenet on port 443: $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 443 -j DENY # This will block the remotenet on port 443 for 222.222.222.222 $IPCHAINS -A input -p tcp -s 222.222.222.222 -d $OUTERNET 443 -j DENY $IPCHAINS -A input -p udp -s 222.222.222.222 -d $OUTERNET 443 -j DENY There are a lot of more options available. Maybe you should take a look at pointman.org: "PMFirewall is an Ipchains Firewall and Masquerading Configuration Utility for Linux. It was designed to allow a beginner to build a custom firewall with little or no ipchains experience." -- www.pointman.org Pmfirewall supports tcp syncookie protection, source address verification, block non-routable ip's, block icmp attacks, etc. It's a great utility.
O well, just called @home for the 34657 time about this problem. They are getting more serious about this every day now ;-)
Let's hope on a better technology or better network engineers at @home.nl Greetz, Siert
participants (6)
-
Andrew Hougie -
Frank Hart -
Kurt Seifried -
Mr. M -
S.G. Zijl -
Ulf Leichsenring