Complete.Org: Mailing Lists: Archives: discussion: August 1999:
[aclug-L] firewall flotsam & jetsam 		Home

[aclug-L] firewall flotsam & jetsam

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: aclug-L@xxxxxxxxxxxx
Subject: [aclug-L] firewall flotsam & jetsam
From: Jeff <schaller@xxxxxxxxxxxxx>
Date: Wed, 4 Aug 1999 06:50:08 -0500 (CDT)
Reply-to: aclug-L@xxxxxxxxxxxx 
I also mentioned at the meeting that a firewall is a Good Idea.
Here's what my simple little packet-filtering firewall (with ipchains)
has picked up recently (I've been playing with the format as I go):

 Jul  8 14:47:28    209-239-196-220.oak.jps.net :   4357 -> telnet over tcp
 Jul  8 14:47:41    209-239-196-220.oak.jps.net :   4357 -> telnet over tcp
 Jul  8 16:54:11    209-239-196-220.oak.jps.net :   4576 -> telnet over tcp
 Jul  8 16:54:14    209-239-196-220.oak.jps.net :   4576 -> telnet over tcp
 Jul  8 16:54:33    209-239-196-220.oak.jps.net :   4576 -> telnet over tcp
 Jul  9 19:48:32     209-239-208-97.stk.jps.net :   4308 -> telnet over tcp
 Jul  9 19:48:35     209-239-208-97.stk.jps.net :   4308 -> telnet over tcp
 Jul  9 19:48:42     209-239-208-97.stk.jps.net :   4308 -> telnet over tcp
 Jul  9 19:48:55     209-239-208-97.stk.jps.net :   4308 -> telnet over tcp
 Jul  9 20:02:55                  cs5.yahoo.com :   5050 -> 1031 over tcp
 Jul  9 20:04:12                  cs5.yahoo.com :   5050 -> 1031 over tcp
 Jul  9 20:05:19                  cs5.yahoo.com :   5050 -> 1031 over tcp
 Jul  9 20:05:19                  cs5.yahoo.com :   5050 -> 1031 over tcp
 Jul  9 20:05:23                  cs5.yahoo.com :   5050 -> 1031 over tcp
 Jul  9 20:05:29                  cs5.yahoo.com :   5050 -> 1031 over tcp
 Jul  9 20:05:32                  cs5.yahoo.com :   5050 -> 1031 over tcp
 Jul  9 20:05:48                  cs5.yahoo.com :   5050 -> 1031 over tcp
!  Jul 10 06:04:28                    icq.icq.com :   4000 -> 1026 over udp
!  Jul 10 06:05:15                  208.233.88.19 : netbios-ns -> netbios-ns 
over udp
!  Jul 10 06:05:16                  208.233.88.19 : netbios-ns -> netbios-ns 
over udp
!  Jul 10 06:05:18                  208.233.88.19 : netbios-ns -> netbios-ns 
over udp
!  Jul 12 21:51:13                    icq.icq.com :   4000 -> 1605 over udp
!  Jul 12 21:51:19                    icq.icq.com :   4000 -> 1605 over udp
!  Jul 12 21:51:25                    icq.icq.com :   4000 -> 1605 over udp
!  Jul 12 21:51:31                    icq.icq.com :   4000 -> 1605 over udp
!  Jul 12 21:51:37                    icq.icq.com :   4000 -> 1605 over udp
!  Jul 12 21:51:43                    icq.icq.com :   4000 -> 1605 over udp
!  Jul 13 19:50:18 904.Hssi8-0-0.GW1.DFW7.ALTER.NET :      3 -> tcpmux over icmp
!  Jul 14 06:35:56                      localhost :    987 -> sunrpc over udp
!  Jul 14 06:36:06                      localhost :    956 -> sunrpc over udp
!  Jul 14 01:18:35                  216.70.129.70 :   3317 -> imap2 over tcp
!  Jul 14 01:18:38                  216.70.129.70 :   3317 -> imap2 over tcp
!  Jul 14 01:18:44                  216.70.129.70 :   3317 -> imap2 over tcp
!  Jul 14 22:28:22 904.Hssi8-0-0.GW1.DFW7.ALTER.NET :      3 -> tcpmux over icmp
!  Jul 14 22:29:22 904.Hssi8-0-0.GW1.DFW7.ALTER.NET :      3 -> tcpmux over icmp
!  Jul 14 22:30:22 904.Hssi8-0-0.GW1.DFW7.ALTER.NET :      3 -> tcpmux over icmp
!  Jul 14 22:31:22 904.Hssi8-0-0.GW1.DFW7.ALTER.NET :      3 -> tcpmux over icmp
!  Jul 14 22:32:22 904.Hssi8-0-0.GW1.DFW7.ALTER.NET :      3 -> tcpmux over icmp
!  Jul 14 22:34:22 904.Hssi8-0-0.GW1.DFW7.ALTER.NET :      3 -> tcpmux over icmp
!  Jul 18 20:38:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 20:39:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 20:40:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 20:41:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 20:42:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 20:43:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 20:44:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 20:45:59                 152.163.244.95 :   5190 -> 1137 over tcp
!  Jul 18 22:14:25                   chat.msn.com :   ircd -> 1025 over tcp
!  Jul 18 22:14:34                   chat.msn.com :   ircd -> 1025 over tcp
!  Jul 18 23:19:12           98CA9687.ipt.aol.com :   1711 -> 27015 over udp
!  Jul 19 00:34:37    209-239-196-116.oak.jps.net :   1282 -> telnet over tcp
!  Jul 19 00:34:50    209-239-196-116.oak.jps.net :   1282 -> telnet over tcp
!  Jul 19 00:39:17    209-239-196-116.oak.jps.net :   1962 -> telnet over tcp
!  Jul 19 00:39:20    209-239-196-116.oak.jps.net :   1962 -> telnet over tcp
!  Jul 19 00:39:40    209-239-196-116.oak.jps.net :   1962 -> telnet over tcp
!  Jul 19 18:30:27                   208.202.13.3 : netbios-ns -> netbios-ns 
over udp
!  Jul 19 18:30:28                   208.202.13.3 : netbios-ns -> netbios-ns 
over udp
!  Jul 19 18:30:30                   208.202.13.3 : netbios-ns -> netbios-ns 
over udp

Just for completeness, here's how to get started:

vi /etc/rc.d/rc.local
add
# deny all, log
/sbin/ipchains -I input -j DENY -l

Then you want to add back in whatever services you want to allow.
Telnetting to a remote machine means you have to allow the remote
telnetd to connect, like this:

# allow onyx's telnetd connect back to us on tcp, don't log
/sbin/ipchains -I input -s 206.53.103.2 23:23 -d 0/0 1024: -p tcp -j ACCEPT

Similarly for httpd, ftp, etc.

-jeff
-- 
"Beware of the man who works hard to learn something, learns it, and finds
himself no wiser than before," Bokonon tells us.  "He is full of murderous
resentment of people who are ignorant without having come by their
ignorance the hard way."  -- Kurt Vonnegut, "Cat's Cradle"
[Prev in Thread] Current Thread [Next in Thread]
  • [aclug-L] firewall flotsam & jetsam, Jeff <=