[3869] in linux-net channel archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

ipfwadm help

daemon@ATHENA.MIT.EDU (Jon Lewis)
Fri Jul 26 11:10:06 1996

Date: 	Fri, 26 Jul 1996 02:03:20 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Linux Net Mailing List <linux-net@vger.rutgers.edu>

I've had trouble in the past few days with users on my linux term servers 
being attacked by foriegn sites with (I assume) ping.  What I see is lots 
of icmp in the ipfwadm output, i.e.:

IP accounting rules
 pkts bytes dir prot source               destination          ports
79166  100M i/o icmp 0.0.0.0/0            205.229.51.128/25    *
  196 10976 i/o icmp 205.229.51.128/25    0.0.0.0/0            *
78510  100M i/o icmp 194.166.52.70        205.229.51.128/25    *

This 194.166.52.70 address was the trouble maker tonight.  I tried to 
block icmp from that address, but failed.  Here's what I tried on the 
terminal server:

IP firewall forward rules, default policy: accept
type  prot source               destination          ports
rej   icmp 194.166.52.70        205.229.51.128/25    *
deny  all  194.166.52.70        205.229.51.128/25    n/a

IP firewall output rules, default policy: accept
type  prot source               destination          ports
deny  icmp 194.166.52.70        205.229.51.128/25    *
deny  all  194.166.52.70        0.0.0.0/0            n/a

IP firewall input rules, default policy: accept
type  prot source               destination          ports
deny  icmp 194.166.52.70        0.0.0.0/0            *

None of these rules seemed to stop 194.166.52.70 from ping flooding an 
address in 205.229.51.128/25 which was being used for a PPP connection.  
Am I doing something wrong, or is the firewalling code?  I assume the 
forwarding rules are the ones I should be dealing with...and only tried 
the In/Out rules after getting no results from the forwarding ones.

BTW...here's another thing that bugs me.  I have all my boxes setup to 
email me the day's IP accounting and clear the counters nightly.  One of 
the lines from the above system in the email'ed output was:

 5010 4983K i/o icmp 13.229.51.128/25     anywhere             any

That line should have read (though it would have used names not numbers):
 5010 4983K i/o icmp 205.229.51.128/25    0.0.0.0/0            *

It seems the kernel or ipfwadm got a few bits confused.  

This is all with Linux 2.0.4 and ipfwadm 2.1.

------------------------------------------------------------------
 Jon Lewis                      |  Mime attachments are OK
 jlewis@inorganic5.fdt.net      |  But please ask before sending 
 http://inorganic5.fdt.net      |  unsolicited huge files.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[3869] in linux-net channel archive

ipfwadm help

daemon@ATHENA.MIT.EDU (Jon Lewis)Fri Jul 26 11:10:06 1996

daemon@ATHENA.MIT.EDU (Jon Lewis)
Fri Jul 26 11:10:06 1996