Re: [leaf-user] Need Help Debugging Firewall Rules - Dachstein

2002-06-03 Thread Michael D. Schleif 



Vintage wrote:
 
 I have searched the FAQs and mail archives but could not find the solution.
 I am currently running Dachstein (CD version) on the Road Runner cable
 network.  As might be expected on a cable network, my logs quickly overfill
 with the following noise:
 
 Every few seconds -
 
 Jun 3 10:50:30 firewall kernel: Packet log: input DENY eth0 PROTO=17
 10.40.32.1:67 255.255.255.255:68 L=333 S=0x80 I=31378 F=0x T=255 (#9)
 
 Every three minutes -
 
 Jun 3 10:49:58 firewall kernel: Packet log: input DENY eth0 PROTO=2
 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x T=1 (#11)
 
 Thus, I added the following two rules to my Network.conf file.
 
 
 ##
 #Ignored Traffic:
 
 ##
 
 SILENT_DENY=17_10.40.32.1_68
 SILENT_DENY=all_224.0.0.0/4
 
 
 ##

[ snip ]

First off, by declaring SILENT_DENY twice (2x), the second cancels, or
overwrites, the first.  Consider this:

SILENT_DENY=17_10.40.32.1_68 all_224.0.0.0/4

However, this is not all of your problem ;

Notice the format for SILENT_DENY:

Format: protocol_srcip[/mask][_dstport]

`srcip' means, literally, source ip address -- you have used the
_destination_ address for your second instantiation.

Unfortunately, SILENT_DENY cannot, yet, deal with destinations.  You are
going to need to use the constructs that immediately follow in
/etc/network.conf:

IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output

Actually, since the errors that you want to ignore are both input
entries; so, you will need to create a /etc/ipchains.input -- and backup
when you are done.  You might want to be specific, like the following,
or broaden the protocol to `all' and/or broaden the destination to
224.0.0.0/4:

$IPCH -I input -j DENY -p 2 -s 0/0 -d 224.0.0.1 -i $EXTERN_IF

hth

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Need Help Debugging Firewall Rules - Dachstein

2002-06-03 Thread Vintage 
0.0.0.0/0 179 -   *
0 0 RETURN tcp  -- 0xFF 0x00  *  0x1
0.0.0.0/00.0.0.0/0 * -   53
0 0 RETURN tcp  -- 0xFF 0x00  *  0x1
0.0.0.0/00.0.0.0/0 53 -   *
10   636 RETURN udp  -- 0xFF 0x00  *  0x1
0.0.0.0/00.0.0.0/0 * -   53
4   836 RETURN udp  -- 0xFF 0x00  *  0x1
0.0.0.0/00.0.0.0/0 53 -   *
0 0 RETURN tcp  -- 0xFF 0x00  *  0x2
0.0.0.0/00.0.0.0/0 * -   23
0 0 RETURN tcp  -- 0xFF 0x00  *  0x2
0.0.0.0/00.0.0.0/0 23 -   *
0 0 RETURN tcp  -- 0xFF 0x00  *  0x2
0.0.0.0/00.0.0.0/0 * -   22
0 0 RETURN tcp  -- 0xFF 0x00  *  0x2
0.0.0.0/00.0.0.0/0 22 -   *


-Vintage

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael D.
Schleif
Sent: Monday, June 03, 2002 11:40 AM
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Need Help Debugging Firewall Rules - Dachstein




Vintage wrote:

 I have searched the FAQs and mail archives but could not find the
solution.
 I am currently running Dachstein (CD version) on the Road Runner cable
 network.  As might be expected on a cable network, my logs quickly
overfill
 with the following noise:

 Every few seconds -

 Jun 3 10:50:30 firewall kernel: Packet log: input DENY eth0 PROTO=17
 10.40.32.1:67 255.255.255.255:68 L=333 S=0x80 I=31378 F=0x T=255 (#9)

 Every three minutes -

 Jun 3 10:49:58 firewall kernel: Packet log: input DENY eth0 PROTO=2
 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x T=1 (#11)

 Thus, I added the following two rules to my Network.conf file.



 ##
 #Ignored Traffic:


 ##

 SILENT_DENY=17_10.40.32.1_68
 SILENT_DENY=all_224.0.0.0/4



 ##

[ snip ]

First off, by declaring SILENT_DENY twice (2x), the second cancels, or
overwrites, the first.  Consider this:

SILENT_DENY=17_10.40.32.1_68 all_224.0.0.0/4

However, this is not all of your problem ;

Notice the format for SILENT_DENY:

Format: protocol_srcip[/mask][_dstport]

`srcip' means, literally, source ip address -- you have used the
_destination_ address for your second instantiation.

Unfortunately, SILENT_DENY cannot, yet, deal with destinations.  You are
going to need to use the constructs that immediately follow in
/etc/network.conf:

IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output

Actually, since the errors that you want to ignore are both input
entries; so, you will need to create a /etc/ipchains.input -- and backup
when you are done.  You might want to be specific, like the following,
or broaden the protocol to `all' and/or broaden the destination to
224.0.0.0/4:

$IPCH -I input -j DENY -p 2 -s 0/0 -d 224.0.0.1 -i $EXTERN_IF

hth

--

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html