Re: [SLE] ipchains mystery packets???
Gerry,
Are you sure about port 3? That's compressnet
compression process! (the exclamation point means I
have no Idea what compressnet is) I used to get alot
of deny's on port 68 (dhclient) and 25 (smtp), but
then i opened up the ruleset on the config - now I
actually receive mail! Very interesting! How about
this one:
martian source 0401a8c0 for ff01a8c0, dev eth2
funny, I don't run squat on eth2 - just some smb
clients, who aren't even using it when I get these!
I need a firewall showme! Just for fun, though -
really humble yourself, do a
#/sbin/init.d/firewall status
You will need a road map. That's my next goal,
though, is to understand the whole ipchains/firewall
thing. I'll email you what I find....
ron
--- Gerry Doris
I created a firewall using ipchains and it seems to working well. However, I am rejecting packets every so often that are completely a mystery to me.
These are output packets on my external interface. They are sourced from my machine and destined to my ISP's DNS server. They are being sent and received on port 3 and are using PROTO=1.
What the hell is protocol 1 and why would my system want to send these packets on port 3 to my ISP's DNS server???
Gerry
"The lyf so short, the craft so long to learne" Chaucer
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
__________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
(For answer to prot=1 and port=3 see bottom!) Ron Heron wrote: ...
You will need a road map. That's my next goal, though, is to understand the whole ipchains/firewall thing. I'll email you what I find....
A great place to start is a) a book about TCP/IP basics (how does an IP packet look like and what do the components of the IP header mean) b) the file /usr/src/linux/net/ipv4/ip_fw.c In ip_fw.c, only the function ip_fw_check() is of immediate interest. The majority of the code there is used only very rarely, when you insert/delete rules, etc. It's pretty straightforward, and you can ignore most of what you don't understand. The big do {...} loop is the major component here, and the for... loops loop through the chain of rules (ipCHAINS). It is again made much more complicated than the few lines really doing the work to handle very few exceptions. Well, you know the 95%-5% rule, that 5% of the code does 95% of the work (and vice versa)... By the way, to answer the question about what protocol=1 means of the prev. poster, just look at /usr/include/linux/in.h. You'll find that IPPROTO_ICMP = 1, that means it's ICMP packaets. Now it also becomes clear what port=3 means. ICMP doesn't have ports, so the look at /etc/services to find that 3 is "compressnet" was useless. It is ICMP type 3! To find out what ICMP type packets are, look at /usr/include/linux/icmp.h (the kernel sources are the answer to so many questions!), and we will find the line #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ And now we know what your problem is (there are more, but this is the most liekley one iin your case, I think): Someone tries to get to a service that you blocked with an ipchains rule -j REJECT. Solution: Clock with -j DENY, that doesn't send out any ICMP messages. Difference: Well, try a "telnet host" to a host that sends out REJECT messages (ICMP des. unreachable really), and try again when it -j DENY them. In the first case the telnet command will return with an error message immediately (after all, it got the message, immediately, that the destination is unreachable), in the second case it will hang and eventually timeout (it didn't get any message after sending the initial packet and doesn't know what's going on). Ok? -- Michael Hasenstein http://www.suse.de/~mha/ SuSE Linux AG, Nuernberg (Germany) SuSE Inc., Oakland, California (US) -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Michael Hasenstein wrote:
By the way, to answer the question about what protocol=1 means of the
By the way, I also failed to see this at first and looked at /etc/services and was amazed... Anyway:
And now we know what your problem is (there are more, but this is the most liekley one iin your case, I think): Someone tries to get to a service that you blocked with an ipchains rule -j REJECT. Solution: Clock with -j DENY, that doesn't send out any ICMP messages. ^^^^^ Block
I've ten typos per sentence these days. Also, I sometimes believe my English actually gets worse instead of better... at least I see all the errors when I read my own messages afterwards. Sorry... Another solution is, of course, to let ICMP packets pass, at least the ICMP types 0,3,8,11 - 8 and 0 are for "ping" - 3 is for your blocking rules and generally when someone connects to either an IP that does not exist (i.e. it's sent back by routers only), or by ports where no program is listening (any machine can send this back, e.g. someone tries to connect to the SMTP (EMail-reception) port and you've no email server program running at all) - 11 happens if the number of hops has become too big (e.g. a looping packet, or "traceroute" uses this feature intentionally) Maybe some of the others as well, but I 'd have to look up what they mean, and I'm too lazy to do it now (time to go home). But it's a GOOD idea to let ICMP pass!!! ICMP is the information protocol. The IP protocol layer in machines on the Internet relies on it to provide information. Network admins will curse you when you turn it off completely (and, from a security point of view, unnecessarily, at leaast if you turn _everything_ off)... -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Damn!!! <whacking myself across the head> I have been so fixated with tcp and udp when building my firewall I completely got sidetracked when I saw the 3 reference. Of course it was icmp destination-unreachable code 3 not port 3. I had openned traceroute for outbound requests but closed it for inbound requests. What I am seeing is my firewall refusing to pass outbound icmp destination-unreachable packets which I assume are responses to an external traceroute request. I suppose I should just accept them. However, I have read that these can be used for DOS attacks on my system (not much use since I don't allow external services) but more importantly an attacker can spoof his source address to cause my system to flood the spoofed host. Gerry On Wed, 23 Aug 2000, Michael Hasenstein wrote:
Michael Hasenstein wrote:
By the way, to answer the question about what protocol=1 means of the
By the way, I also failed to see this at first and looked at /etc/services and was amazed...
Anyway:
And now we know what your problem is (there are more, but this is the most liekley one iin your case, I think): Someone tries to get to a service that you blocked with an ipchains rule -j REJECT. Solution: Clock with -j DENY, that doesn't send out any ICMP messages. ^^^^^ Block
I've ten typos per sentence these days. Also, I sometimes believe my English actually gets worse instead of better... at least I see all the errors when I read my own messages afterwards. Sorry...
Another solution is, of course, to let ICMP packets pass, at least the ICMP types 0,3,8,11
- 8 and 0 are for "ping" - 3 is for your blocking rules and generally when someone connects to either an IP that does not exist (i.e. it's sent back by routers only), or by ports where no program is listening (any machine can send this back, e.g. someone tries to connect to the SMTP (EMail-reception) port and you've no email server program running at all) - 11 happens if the number of hops has become too big (e.g. a looping packet, or "traceroute" uses this feature intentionally)
Maybe some of the others as well, but I 'd have to look up what they mean, and I'm too lazy to do it now (time to go home).
But it's a GOOD idea to let ICMP pass!!! ICMP is the information protocol. The IP protocol layer in machines on the Internet relies on it to provide information. Network admins will curse you when you turn it off completely (and, from a security point of view, unnecessarily, at leaast if you turn _everything_ off)...
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Gerry "The lyf so short, the craft so long to learne" Chaucer -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Ron, if you are really interested in building firewalls I highly recommend "Linux Firewalls" by Robert Ziegler published by New Riders. This book is superb. He covers step by step the chains needed for every service imaginable. He starts with a simple home system and works up to discuss dmz's etc. However, to make things even more useful you can go to the author's website and through a series of simple questions create a customized firewall for your system. To reach it go to http://linux-firewall-tools.com/linux/firewall Gerry On Wed, 23 Aug 2000, Ron Heron wrote:
I need a firewall showme! Just for fun, though - really humble yourself, do a #/sbin/init.d/firewall status You will need a road map. That's my next goal, though, is to understand the whole ipchains/firewall thing. I'll email you what I find....
ron
Gerry "The lyf so short, the craft so long to learne" Chaucer -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
participants (3)
-
gdoris@home.com
-
heroron@yahoo.com
-
mha@suse.com