Why not just reject packets on the port where they scan? I imagine they
usually scan the same port number.
ie:
# Back Orifice
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
This blocks the entire outside world from accessing port 31337 (and logs it)
I think you can use port ranges by using a hyphen, but I'm not absolutely
sure 'bout that. That'd be of the form:
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY
Although, I imagine that might break a lot of stuff...
There is also a destination port argument, but I'm not sure if this'll work:
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET -dport 0-500 -j
DENY
Actually, I'd imagine this one'd be closer:
$IPCHAINS -A input -l -p tcp -i $EXTERNAL_IF --destination-port 0-500 -j
DENY
$IPCHAINS -A input -l -p udp -i $EXTERNAL_IF --destination-port 0-500 -j
DENY
I hve no way to test this at the moment, but these are my inclinations...
Anyone else have any inputs?
> -----Original Message-----
> From: Halcyon [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, January 04, 2001 12:45 PM
> To: [EMAIL PROTECTED]
> Subject: blackhole firewall rules
>
> Hello, I'd like to be able to create a firewall rule that would drop all
> packets coming to my Linux box from the home.net network if they are
> trying
> to open a port below say, 500.
>
> My reason for this being that for the past year, I've ran my own IMAP mail
> server on my DSL and I've loved it. There's nothing more beautiful than
> having procmail sort all your email on the server instead of having to use
> a
> client to sort. Unfortunately, the DSL is insanely expensive, so I need
> to
> move my server over to my cable modem and cancel the DSL. I've noticed
> that
> @home portscans pretty regularly, so I need to be discreet about my mail
> server.
>
> I'm pretty sure that you can create some sort of rule with ipchains to
> become invisible to @home and if anyone can help me out or help me help
> myself, I'd greatly appreciate it.
>
> Thanks in advance,
> Halcyon
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list