CSI (Security Policy) Help

Stephen John Smoogen smooge at gmail.com
Sun Feb 1 21:54:33 UTC 2009 

On Sun, Feb 1, 2009 at 2:35 PM, Frank Chiulli <frankc.fedora at gmail.com> wrote:
> On Sun, Feb 1, 2009 at 11:08 AM, Stephen John Smoogen <smooge at gmail.com> wrote:
>> On Sat, Jan 31, 2009 at 10:09 PM, Frank Chiulli <frankc.fedora at gmail.com> wrote:
>>
>>>
>>> I'm not running samba.  If I put the following rule before the LOG
>>> rule, will the packets be dropped and the messages stopped?
>>>
>>> -A INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.0/24 -m multiport
>>> --ports 137,138 -j DROP
>>>
>>
>> I normally go with 135:139 as they are noisy ports. On a public
>> network I have a list of ports I drop because they are noisy
>>
>>
>> -A INPUT -p tcp -m tcp --dport 67:68 -j DROP
>> -A INPUT -p tcp -m tcp --dport 135:139 -j DROP
>> -A INPUT -p tcp -m tcp --dport 445 -j DROP
>> -A INPUT -p udp -m udp --dport 67:68 -j DROP
>> -A INPUT -p udp -m udp --dport 135:139 -j DROP
>> -A INPUT -p udp -m udp --sport 177 --dport 177 -j DROP
>> -A INPUT -p udp -m udp --dport 445 -j DROP
>> -A INPUT -p udp -m udp --dport 1024:1030 -j DROP
>>
>> The 1024:1030 UDP drop the enormouse anmount of UDP pop-up spam.
>>
>>
>>
>> --
>> Stephen J Smoogen. -- BSD/GNU/Linux
>> How far that little candle throws his beams! So shines a good deed
>> in a naughty world. = Shakespeare. "The Merchant of Venice"
>>
>
> Stephen,
> Thanks for the suggestions.  I'm hoping that my router throws most of
> those away because so far all I've seen in messages is local traffic.
>
> I discovered something interesting while looking at messages.  I saw
> the following message repeated several times:
>
> Feb  1 09:03:46 localhost kernel: FW-REJECT IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:21:47:b7:86:61:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=40094
> PROTO=UDP SPT=68 DPT=67 LEN=308
>
> I was curious what it was because of 'SRC=0.0.0.0'.  It turned out to
> be my Wii.   I discovered this based on my router which keeps track of
> MAC addresses and IP addresses.  I had forgotten that it was on my
> net.

Yeah... that one can be a shocker when first looked at :). As you
probably know, the reason is that a box booting up doesn't have an IP
address and the old standard was to use 0.0.0.0 as the default to
start up as. Some other boxes use a different from IP address, but for
the most part they are 0.0.0.0



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the infrastructure mailing list