> [sj] dst host 24.118.176.41 > [sj] and tcp[2:2] & 0xfc00 == 0 > [sj] and not dst port (22) > <snip> > > [sj] Let me state what I see the differences are between Charles and Simons > ideas here, both agree on what the dst host should be which is the IP of > eth0. Charles is including tcp ports <1024 which means he is including line > 3in his example. Simon only wants to check ports 80 and 21, thus he would > not need line 3 of Charles example. Am I right or am I missing something > here? > > No you aren't - while I'm not exactly sure what the 2nd line does in > Charles' example (like I said not exactly much of a scripter), it does look > like its blocking way more ports than mine. I just choose 80 and 21 as > example ports (I'm blocking a few more choice ones, like common NetBus > targets, etc).
Sorry about that... Acutally, my filter matchs *LOTS* more ports than yours. IIRC, you were specifically matching only ports 80 and 21 (www and ftp). The second line in my example BPF, above, matches *ALL LOW PORTS*. What it is doing is extracting the destination port from the TCP header (2 bytes at offset 2, or tcp[2:2]). This results in a 16 bit binary number. To see if the number is >= 1024 (0x0400 hex), the number is binary and'd with the mask of 0xFC00. If the result is zero, the port number was <1024, if the result is not zero, the number is >= 1024. The net result of the above is to match any packets sent to "low" ports of the host machine...since these ports are denied by the default Dachstein firewall rules, it's safe to "tarpit" them using LaBrea. If, however, specific ports are allowed thorough the firewall to provide external services, packets to those particular ports must *NOT* be seen by LaBrea (or LaBrea will send a RST to any inbound traffic, generally wreking havoc on your network connectivity), so they must be explicitly excluded by the optional line #3. Sorry about the wierd syntax, but I don't know of an easier or more coherent way to specify any low port with BPF notation. Any tcpdump gurus know a better way? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
