RE: blackhole firewall rules

Thu, 04 Jan 2001 10:40:11 -0800 

Why not just reject packets on the port where they scan?  I imagine they
usually scan the same port number.

ie: 
# Back Orifice
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY

This blocks the entire outside world from accessing port 31337 (and logs it)

I think you can use port ranges by using a hyphen, but I'm not absolutely
sure 'bout that.  That'd be of the form:

$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY
$IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 0-500 -j DENY

Although, I imagine that might break a lot of stuff...

There is also a destination port argument, but I'm not sure if this'll work:
$IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET -dport 0-500 -j
DENY

Actually, I'd imagine this one'd be closer:
$IPCHAINS -A input -l -p tcp -i $EXTERNAL_IF --destination-port 0-500 -j
DENY
$IPCHAINS -A input -l -p udp -i $EXTERNAL_IF --destination-port 0-500 -j
DENY

I hve no way to test this at the moment, but these are my inclinations...
Anyone else have any inputs?



> -----Original Message-----
> From: Halcyon [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, January 04, 2001 12:45 PM
> To:   [EMAIL PROTECTED]
> Subject:      blackhole firewall rules
> 
> Hello, I'd like to be able to create a firewall rule that would drop all
> packets coming to my Linux box from the home.net network if they are
> trying
> to open a port below say, 500.
> 
> My reason for this being that for the past year, I've ran my own IMAP mail
> server on my DSL and I've loved it.  There's nothing more beautiful than
> having procmail sort all your email on the server instead of having to use
> a
> client to sort.  Unfortunately, the DSL is insanely expensive, so I need
> to
> move my server over to my cable modem and cancel the DSL.  I've noticed
> that
> @home portscans pretty regularly, so I need to be discreet about my mail
> server.
> 
> I'm pretty sure that you can create some sort of rule with ipchains to
> become invisible to @home and if anyone can help me out or help me help
> myself, I'd greatly appreciate it.
> 
> Thanks in advance,
> Halcyon
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to