Re: [Leaf-user] EIGRP (88) protocol ???

2001-12-07 Thread David Douthitt 

"Michael D. Schleif" wrote:

> However, how do I silently deny anything from any source that is
> destined for 255.255.255.255 ???
> 
> Since AT&T Broadband moved me to the new network, I am flooded with this
> crap:
> 
> PROTO=17 12.242.20.50:67 255.255.255.255:68
> 
> What do you think?

That's the bootp protocol (ports 67 and 68).  Just don't log blocks on
those ports (though I'm not sure how you'd do that in
Eigerstein/Dachstein...)

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] EIGRP (88) protocol ???

2001-12-07 Thread Michael D. Schleif 


Charles Steinkuehler wrote:
> 
> > > Regarding silent deny's...you can block the whole
> > > 224.0.0.0/4 range (RFC-1112 Class-D multicast) without worry.
> > > That catches IGMP, IGRP, EIGRP, and probably others. As you'd
> > > expect, this is in the same "reduce my log noise" section of
> > > echowall.rules.
> >
> > And, what is the best way to do this?
> >
> > Charles, is this possible with SILENT_DENY?
> 
> SILENT_DENY="all_224.0.0.0/4"

Is this for Source or Destination -- 224.0.0.0 ???

If I understand the underlying code, your example will silently deny
everything from the 224.0.0.0/4 network, regardless to where
(destination) it is destined.

However, how do I silently deny anything from any source that is
destined for 255.255.255.255 ???

Since AT&T Broadband moved me to the new network, I am flooded with this
crap:

PROTO=17 12.242.20.50:67 255.255.255.255:68

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] EIGRP (88) protocol ???

2001-12-01 Thread Charles Steinkuehler 

> > Regarding silent deny's...you can block the whole
> > 224.0.0.0/4 range (RFC-1112 Class-D multicast) without worry.
> > That catches IGMP, IGRP, EIGRP, and probably others. As you'd
> > expect, this is in the same "reduce my log noise" section of
> > echowall.rules.
> 
> And, what is the best way to do this?
> 
> Charles, is this possible with SILENT_DENY?

SILENT_DENY="all_224.0.0.0/4"

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] EIGRP (88) protocol ???

2001-12-01 Thread Scott C. Best 

Michael:

I'm sure it's possible with SILENT_DENY, I just
don't use it. Charles will be able to provide details,
no doubt.
Here's the relevant portion from the echoWall
rules file. Hope it helps!

-Scott

# -- next, block reserved-address traffic, a-la CIAC alert K-032
# -- includes:0.0.0.0/8  [Historical Broadcast]
# --  169.254.0.0/16 [DHCP default]
# --192.0.2.0/24 [TEST-NET]
# --224.0.0.0/4  [RFC-1112, Class-D multicast]
# -- [224.0.0.0 through 239.255.255.25]
# --240.0.0.0/5  [Class-E multicast]
# --248.0.0.0/5  [Unallocated]
# --
# -- use -b switch to create one -d for every -s

$IPCHAINS -A input -i $IF_EXT -b -s 0.0.0.0/8 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 169.254.0.0/16 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 192.0.2.0/24 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 224.0.0.0/4 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 240.0.0.0/5 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 248.0.0.0/5 -j DENY


On Sat, 1 Dec 2001, Michael D. Schleif wrote:

>
> "Scott C. Best" wrote:
> >
> > Heya. Thanks for the packet log, am updating fwlog.pl
> > to include an awareness of protocol 88. It knew about regular
> > IGRP (IP protocol 9) but not this one. :)
> >
> > Regarding silent deny's...you can block the whole
> > 224.0.0.0/4 range (RFC-1112 Class-D multicast) without worry.
> > That catches IGMP, IGRP, EIGRP, and probably others. As you'd
> > expect, this is in the same "reduce my log noise" section of
> > echowall.rules.
>
> And, what is the best way to do this?
>
> Charles, is this possible with SILENT_DENY?
>
> Or, need we implement a special ipchains rule in /etc/ipchains.input ???
>
> What do you think?
>
> > > We just connected Dachstein-CD to a T-1 via Sangoma panpipe pci card.
> > >
> > > We are receiving a plethora of these:
> > >
> > > kernel: Packet log: input DENY wan PROTO=88 x.y.z.158:65535
> > > 224.0.0.10:65535 L=60 S=0xC0 I=0 F=0x T=2 (#39)
> > >
> > > Yes, we know that protocol 88 is EIGRP.
> > >
> > > No, Ethernet  does not
> > > recognize this.
> > >
> > > [1] Does this represent a problem?  Or, is this a candidate for Silent
> > > Deny?
> > >
> > > [2] Dachstein Silent Deny handles *only* icmp, tcp and udp.  What is the
> > > best way to Silent Deny these?
> > >
> > > What do you think?
>
> --
>
> Best Regards,
>
> mds
> mds resource
> 888.250.3987
>
> Dare to fix things before they break . . .
>
> Our capacity for understanding is inversely proportional to how much we
> think we know.  The more I know, the more I know I don't know . . .
>


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] EIGRP (88) protocol ???

2001-11-30 Thread Michael D. Schleif 


"Scott C. Best" wrote:
> 
> Heya. Thanks for the packet log, am updating fwlog.pl
> to include an awareness of protocol 88. It knew about regular
> IGRP (IP protocol 9) but not this one. :)
> 
> Regarding silent deny's...you can block the whole
> 224.0.0.0/4 range (RFC-1112 Class-D multicast) without worry.
> That catches IGMP, IGRP, EIGRP, and probably others. As you'd
> expect, this is in the same "reduce my log noise" section of
> echowall.rules.

And, what is the best way to do this?

Charles, is this possible with SILENT_DENY?

Or, need we implement a special ipchains rule in /etc/ipchains.input ???

What do you think?

> > We just connected Dachstein-CD to a T-1 via Sangoma panpipe pci card.
> >
> > We are receiving a plethora of these:
> >
> > kernel: Packet log: input DENY wan PROTO=88 x.y.z.158:65535
> > 224.0.0.10:65535 L=60 S=0xC0 I=0 F=0x T=2 (#39)
> >
> > Yes, we know that protocol 88 is EIGRP.
> >
> > No, Ethernet  does not
> > recognize this.
> >
> > [1] Does this represent a problem?  Or, is this a candidate for Silent
> > Deny?
> >
> > [2] Dachstein Silent Deny handles *only* icmp, tcp and udp.  What is the
> > best way to Silent Deny these?
> >
> > What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] EIGRP (88) protocol ???

2001-11-30 Thread Scott C. Best 

Michael:

Heya. Thanks for the packet log, am updating fwlog.pl
to include an awareness of protocol 88. It knew about regular
IGRP (IP protocol 9) but not this one. :)

Regarding silent deny's...you can block the whole
224.0.0.0/4 range (RFC-1112 Class-D multicast) without worry.
That catches IGMP, IGRP, EIGRP, and probably others. As you'd
expect, this is in the same "reduce my log noise" section of
echowall.rules.

cheers,
Scott


> We just connected Dachstein-CD to a T-1 via Sangoma panpipe pci card.
>
> We are receiving a plethora of these:
>
> kernel: Packet log: input DENY wan PROTO=88 x.y.z.158:65535
> 224.0.0.10:65535 L=60 S=0xC0 I=0 F=0x T=2 (#39)
>
> Yes, we know that protocol 88 is EIGRP.
>
> No, Ethernet  does not
> recognize this.
>
> [1] Does this represent a problem?  Or, is this a candidate for Silent
> Deny?
>
> [2] Dachstein Silent Deny handles *only* icmp, tcp and udp.  What is the
> best way to Silent Deny these?
>
> What do you think?





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] EIGRP (88) protocol ???

2001-11-30 Thread Michael D. Schleif 


Charles, thank you!

Charles Steinkuehler wrote:
> 
> > kernel: Packet log: input DENY wan PROTO=88 x.y.z.158:65535
> > 224.0.0.10:65535 L=60 S=0xC0 I=0 F=0x T=2 (#39)
> >
> > Yes, we know that protocol 88 is EIGRP.
> >
> > No, Ethernet  does not
> > recognize this.
> >
> > [1] Does this represent a problem?  Or, is this a candidate for Silent
> > Deny?
> 
> Not a problem, unless you feel compelled to get a Cisco or other advnced
> router running so you can start swapping routing info with your ISP...of
> course they probably won't listen to you anyway (unless they don't know how
> to properly configure their router).
> 
> Ideal candidate for the bit-bucket.
> 
> > [2] Dachstein Silent Deny handles *only* icmp, tcp and udp.  What is the
> > best way to Silent Deny these?
> 
> Um...not exactly.  IPChains (and hence most of the network.conf settings)
> only knows about icmp, tcp, and udp by NAME, but you can stick in arbitrary
> protocols if you want.  From Dachstein network.conf:
> 
> # Traffic to completely ignore...define here to prevent filling your logs
> # Space seperated list: protocol_srcip/mask_dstport
> #SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"
> 
> So you want something like:
> SILENT_DENY="88_x.y.z.158"

Of course, you know that I tried:

SILENT_DENY="88_x.y.z.158_65535"

which did *NOT* work -- and, I blindly assumed that SILENT_DENY could
not work for this scenario ;>

Again, the laugh is on me!

Anyway, yes, your solution works perfectly -- thank you !!!

> Must be one of those new ipv6 addresses...is that base64
> encoding?
> 
> Note the missing third field (port number), which only makes sense with
> icmp/tcp/udp.  Leaving this blank prevents the error you would get trying to
> specify a port with a custom protocol.
> 
> Not really obvious, but it should work...
> Maybe I should make the comment something like:
> # Space seperated list: protocol_srcip/mask[_dstport]

It would have saved me a post ;>

Nevertheless, it is good that this scenario is now in the archives . . .

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] EIGRP (88) protocol ???

2001-11-30 Thread Charles Steinkuehler 

> kernel: Packet log: input DENY wan PROTO=88 x.y.z.158:65535
> 224.0.0.10:65535 L=60 S=0xC0 I=0 F=0x T=2 (#39)
>
> Yes, we know that protocol 88 is EIGRP.
>
> No, Ethernet  does not
> recognize this.
>
> [1] Does this represent a problem?  Or, is this a candidate for Silent
> Deny?

Not a problem, unless you feel compelled to get a Cisco or other advnced
router running so you can start swapping routing info with your ISP...of
course they probably won't listen to you anyway (unless they don't know how
to properly configure their router).

Ideal candidate for the bit-bucket.

> [2] Dachstein Silent Deny handles *only* icmp, tcp and udp.  What is the
> best way to Silent Deny these?

Um...not exactly.  IPChains (and hence most of the network.conf settings)
only knows about icmp, tcp, and udp by NAME, but you can stick in arbitrary
protocols if you want.  From Dachstein network.conf:

# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip/mask_dstport
#SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"

So you want something like:
SILENT_DENY="88_x.y.z.158"

Must be one of those new ipv6 addresses...is that base64
encoding?

Note the missing third field (port number), which only makes sense with
icmp/tcp/udp.  Leaving this blank prevents the error you would get trying to
specify a port with a custom protocol.

Not really obvious, but it should work...
Maybe I should make the comment something like:
# Space seperated list: protocol_srcip/mask[_dstport]

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] EIGRP (88) protocol ???

2001-11-30 Thread Eddie Wilson 

Did you have any problems getting the wanpipe to run. I cannot access my 
S508/FT1 with Dachstein. If I run cfgft1 I get 'Failed to start FT1 driver 
for device: wanpipe1!'

I have loaded the latest modules from Sangoma's LRP folder.

Eddie

-Original Message-
From:   Michael D. Schleif [SMTP:[EMAIL PROTECTED]]
Sent:   Friday, November 30, 2001 4:09 PM
To: LEAF
Subject:        [Leaf-user] EIGRP (88) protocol ???


We just connected Dachstein-CD to a T-1 via Sangoma panpipe pci card.

We are receiving a plethora of these:

kernel: Packet log: input DENY wan PROTO=88 x.y.z.158:65535
224.0.0.10:65535 L=60 S=0xC0 I=0 F=0x T=2 (#39)

Yes, we know that protocol 88 is EIGRP.

No, Ethernet <http://www.echogent.com/cgi-bin/fwlog.pl> does not
recognize this.

[1] Does this represent a problem?  Or, is this a candidate for Silent
Deny?

[2] Dachstein Silent Deny handles *only* icmp, tcp and udp.  What is the
best way to Silent Deny these?

What do you think?

--

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] EIGRP (88) protocol ???

2001-11-30 Thread Michael D. Schleif 


We just connected Dachstein-CD to a T-1 via Sangoma panpipe pci card.

We are receiving a plethora of these:

kernel: Packet log: input DENY wan PROTO=88 x.y.z.158:65535
224.0.0.10:65535 L=60 S=0xC0 I=0 F=0x T=2 (#39)

Yes, we know that protocol 88 is EIGRP.

No, Ethernet  does not
recognize this.

[1] Does this represent a problem?  Or, is this a candidate for Silent
Deny?

[2] Dachstein Silent Deny handles *only* icmp, tcp and udp.  What is the
best way to Silent Deny these?

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user