[OLUG] Firewall Help

W. Mark Hagler hagler at th.in.gs
Sun May 14 19:56:18 UTC 2000


IP Procotol number 17 is UDP.  The Ip address 169.254.205.249 is
interesting.. this block of IP number is reserved by the IANA "..for use
with Link Local networks" and wouldn't be seen on the Internet.   The
other address, 24.3.232.34, is one of the @home DNS servers, and UDP
port 53 is the port for DNS lookups.

Two questions..  is eth1 your inside or outside interface, and are you
using 169.254.0.0 IP numbers anywhere?

I vaguely remember something about Windows machines using IP numbers
from a reserved block when they failed to obtain a IP number from a DHCP
server.  Do you have any Windows machines set to "automatically obtain
IP number" on your local network?


"Good. Root. What is difference?" wrote:
> 
> Okay, I finally got a decent firewall running, ip masqing and some
> protective measures.  However, now my /var/log/messages is growing by
> the second... every few minutes or so, I get this line:
> 
> May 14 13:31:00 cx114367-a kernel: Packet log: input REJECT eth1
> PROTO=17 169.254.205.249:137 24.3.232.34:53 L=71 S=0x00 I=37387 F=0x0000
> T=128 (#5)
> 
> Obviously, Id like to minimize the stuff in my log.
> 
> I've attached my rc.firewall, which I pretty much ripped from the
> Stronger IP rulesets section of the masquerading HOWTO. Any help would
> be appreciated.
> 
> Jason
> 
>   ------------------------------------------------------------------------
> /sbin/depmod -a
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_irc
> /sbin/modprobe ip_masq_raudio
> 
> #extip="24.7.37.34"
> #extint="eth0"
> #intint="eth1"
> #intnet="192.168.10.0/24"
> 
> #export extip extint intint intnet
> 
> /sbin/ipchains -M -S 7200 10 160
> 
> # -------------------------------
> # Input policies
> # --------------------------------
> # First, we set a default policy of REJECT
> ipchains -F input
> ipchains -P input REJECT
> 
> # Local machines are cool.
> ipchains -A input -i eth1 -s 192.168.10.0/24 -d 0.0.0.0/0 -j ACCEPT
> ipchains -A input -i eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -l -j REJECT
> ipchains -A input -i eth0 -s 0.0.0.0/0 -d 24.7.37.34/32 -j ACCEPT
> ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
> ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> 
> # -------------------------------
> # Output policies
> # ------------------------------
> # First, we once again set the default policy to REJECT
> 
> ipchains -F output
> ipchains -P output REJECT
> 
> # Once again, local machines are cool
> 
> ipchains -A output -i eth1 -s 0.0.0.0/0 -d 192.168.10.0/24 -j ACCEPT
> ipchains -A output -i eth0 -s 0.0.0.0/0 -d 192.168.10.0/24 -l -j REJECT
> ipchains -A output -i eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -l -j REJECT
> ipchains -A output -i eth0 -s 24.7.37.34/32 -d 0.0.0.0/0 -j ACCEPT
> ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
> ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> 
> # -----------------------------------
> # Forward (aka Masquerade) policies
> # -----------------------------------
> # Again, default is deny
> 
> /sbin/ipchains -P forward DENY
> 
> # The local network is cool
> /sbin/ipchains -A forward -s 192.168.10.0/24 -j MASQ
> 
> # Non-local network is cool
> ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> 
>   ------------------------------------------------------------------------
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`

-- 
  Email is packaged by intellectual weight, not volume. Some
  settling of contents may have occurred during transmission.

-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 



More information about the OLUG mailing list