On Fri, 15 Feb 2002 04:56:30 GMT "GREGOR" <[EMAIL PROTECTED]> wrote:
> I'm using DCD, I set it up as firewall, with IP aliasing on eth0, DMZ > switch=PRIVATE on eth2 and internal network on eth1.(thank's to bela,charles > and ray). > > I've got tons of logs of hits on port 53 like the following examples : > > Feb 14 06:42:04 firewall syslogd 1.3-3#31.slink1: restart. > Feb 14 07:31:08 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 167.216.144.43:53 202.149.81.55:53 L=44 S=0x00 I=0 F=0x0000 T=239 (#48) > -----snip > > I've search the mailing list archives and found these following extra lines > to add to ipfilter.conf file : > > # New Port 53 filter start IP_LIST="`cat /etc/dns_floods`" > for IP in $IP_LIST; do > $IPCH -I input -j DENY -p tcp -s $IP/32 -d $EXTERN_IP/32 53 -i$EXTERN_IF > done; unset IP > #New Port 53 filter end > > I've created the */etc/dns_floods* file as instructed in the archive and > also added some more IP#'s and then did *svi network reload*, but those hits > don't seems to stop. > > any idea? > > thank's in advance. In Dachstein, I have found somewhere in the mailing list here, that you need to add a SILENT DENY section to your /etc/network.conf file. Mine reads a little like this; SILENT_DENY="tcp_64.78.235.14_53 tcp_64.56.174.186_53 tcp_64.37.200.46_53" and so on and so on... Just make sure to separate each entry with a space and then type svi network reload and no more logging of any IP's you list doing scans on your port 53. Again, thanks to the users on the list here for helping me with that problem. Steve _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
