Thanks once again Lonnie. Its all working. Regards Michael Knill
-----Original Message----- From: Lonnie Abelbeck <[email protected]> Reply-To: AstLinux List <[email protected]> Date: Wednesday, 24 August 2016 at 11:10 PM To: AstLinux List <[email protected]> Subject: Re: [Astlinux-users] Arno firewall logs Michael, Yes, qualifying IGMP ( -p 2 ) for only the Modem PPPOEIF should be fine, as IGMP over ppp0 is handed elsewhere. Lonnie On Aug 23, 2016, at 11:07 PM, Michael Knill <[email protected]> wrote: > Could I do this: > > # VDSL modem IGMP and Netbios spam > if [ -n "$PPPOEIF" ]; then > echo "[CUSTOM RULE] Drop Modem IGMP and Netbios packets" > ip4tables -A INPUT_CHAIN -i $PPPOEIF -p 2 -j DROP > ip4tables -A INPUT_CHAIN -i $PPPOEIF -p udp --dport 138 -j DROP > fi > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <[email protected]> > Reply-To: AstLinux List <[email protected]> > Date: Wednesday, 24 August 2016 at 1:40 PM > To: AstLinux List <[email protected]> > Subject: Re: [Astlinux-users] Arno firewall logs > > Michael, > > Without testing, this snippet added to your "custom-rules" should drop the > NETBIOS packets if PPPoE is enabled... > -- snip -- > if [ -n "$PPPOEIF" ]; then > echo "[CUSTOM RULE] Drop PPPoE Modem NETBIOS packets" > ip4tables -A INPUT_CHAIN -i $PPPOEIF -p udp --dport 138 -j DROP > fi > -- snip -- > > Lonnie > > > On Aug 23, 2016, at 7:41 PM, Michael Knill > <[email protected]> wrote: > >> Thanks Lonnie >> >> It does work for the IGMP packets. What should I put in for the Netbios >> packets? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <[email protected]> >> Reply-To: AstLinux List <[email protected]> >> Date: Wednesday, 24 August 2016 at 10:33 AM >> To: AstLinux List <[email protected]> >> Subject: Re: [Astlinux-users] Arno firewall logs >> >> Michael, >> >> You must have also defined MODEM_IF_IP and/or MODEM_IP, if you only define >> MODEM_IF="eth0" then there should not be any logging but does allow those >> packets, not ideal. >> >> There really should be a logging option for this plugin, Arno last modified >> it 5 years ago. >> >> Try what Michael Keuter suggested and not enable the dsl-ppp-modem and add >> the custom_rules tweak(s) he posted. >> >> Lonnie >> >> >> >> On Aug 23, 2016, at 5:18 PM, Michael Knill >> <[email protected]> wrote: >> >>> Hi Lonnie >>> >>> Ok so I configured up the dsl-ppp-modem plugin and as Michael mentioned, it >>> still logs the following IGMP and Netbios packets: >>> >>> Aug 24 08:12:18 4010-Breeze_HO-CM1 user.info kernel: AIF:Dropped MODEM >>> packet: IN=eth0 OUT= MAC=01:00:5e:00:00:01:18:a6:f7:c7:3a:2c:08:00 >>> SRC=172.30.254.2 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF >>> PROTO=2 >>> Aug 24 08:16:05 4010-Breeze_HO-CM1 user.info kernel: AIF:Dropped MODEM >>> packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:18:a6:f7:c7:3a:2c:08:00 >>> SRC=172.30.254.2 DST=172.30.254.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 >>> DF PROTO=UDP SPT=138 DPT=138 LEN=221 >>> >>> It does say Dropped MODEM packet rather than Dropped INPUT packet though so >>> it did something. >>> All log denied entries are unchecked. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <[email protected]> >>> Reply-To: AstLinux List <[email protected]> >>> Date: Tuesday, 23 August 2016 at 11:25 PM >>> To: AstLinux List <[email protected]> >>> Subject: Re: [Astlinux-users] Arno firewall logs >>> >>> Hi Michael, >>> >>> There is a firewall plugin for that, "dsl-ppp-modem": >>> https://doc.astlinux.org/userdoc:tt_firewall_plugins#dsl-ppp-modem >>> >>> That plugin only adds firewall rules, no routes or IP address. It seems >>> defining MODEM_IF to the PPPoE external interface is the only required >>> setting. >>> >>> Also check your Firewall sub-tab and uncheck all the "Log Denied ..." >>> entries to minimize logging. >>> >>> Lonnie >>> >>> >>> On Aug 23, 2016, at 6:46 AM, Michael Knill >>> <[email protected]> wrote: >>> >>>> Hi group >>>> >>>> Unfortunately Im not that good on the firewall config. >>>> I have an external PPPoE modem on eth0 which I access via an IP Address >>>> configured in rc.elocal. >>>> Unfortunately I have recently installed a VDSL2 modem that's trying to be >>>> cleverer than I want it to be and it is filling up my logs with firewall >>>> denies from broadcast and multicast traffic: >>>> >>>> Is there any way I can stop logging on this interface? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> [email protected]. >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Astlinux-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> [email protected]. >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Astlinux-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> [email protected]. >>> >>> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. >> >> > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected]. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
