Re: [Dorset] Firewall question

Ralph Corderoy Wed, 13 Dec 2023 04:26:42 -0800

Hi Tim,

  IP              hostname                                in            out     
     total       last seen
> 98.159.234.100  chrysippo.dreamsinheels.com    377,452,876  8,790,117,140  
> 9,167,570,016  2d 18h 38m 35s
> 98.159.234.101  reformidans.dreamsinheels.com  231,512,992  4,458,161,590  
> 4,689,674,582  3d 21h 18m  8s
> 98.159.234.54   posset.dreamsinheels.com       196,503,575  3,748,136,401  
> 3,944,639,976  2d  2h 41m 11s
> 98.159.234.72   pecunias.dreamsinheels.com     207,944,151  3,507,655,611  
> 3,715,599,762  2d  3h  6m 12s
> 98.159.234.157  aliquod.dreamsinheels.com      132,080,873  2,002,741,007  
> 2,134,821,880     11h 53m 38s
> 98.159.234.20   iustitiam.dreamsinheels.com     87,937,813  1,906,705,751  
> 1,994,643,564     21h 14m 53s
...
> While I don't seem to have a list of live connections it is still making
> connections, I checked and they are showing in Wireshark when I monitor
> traffic


A TCP connection is being established after the full normal handshake?
As opposed to an incoming packet attempting to start a connection but
not progressing?  If so, a program must be actively listening on the
same TCP port to accept the connection.  What's the output of

    sudo -i ss -tlpe

> Here is a sample of one of the rules I have come up with:
>
>     -A ufw-user-logging-output -p tcp
>     -d 185.151.30.148 --dport 42474
>     -s 185.151.30.148 --sport 42474
>     -m limit --limit 3/min --limit-burst 10
>     -j LOG --log-prefix "[UFW BLOCK] "

That looks like a rule to log something about the packet.  Have you enabled
logging?
https://wiki.archlinux.org/title/Uncomplicated_Firewall#Disable_UFW_logging
says how to disable it so I think you do the opposite.  That's what
https://wiki.ubuntu.com/UncomplicatedFirewall#Basic_Usage suggests.

> I don't know how to chnage the single port to any port.

Why bother trying to match the port?  Just ban anything from IP addresses.
I think you just want to drop all packets from sources 98.159.234.0/24 and
185.151.130.148.  There are a couple of similar examples in
https://wiki.archlinux.org/title/Uncomplicated_Firewall#Black_listing_IP_addresses

-- 
Cheers, Ralph.

-- 
  Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00
  Check to whom you are replying
  Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
  New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Re: [Dorset] Firewall question

Reply via email to