[3874] in linux-net channel archive
Re: ipfwadm help
daemon@ATHENA.MIT.EDU (Jos Vos)
Fri Jul 26 17:03:19 1996
From: Jos Vos <jos@xos.nl>
To: jlewis@inorganic5.fdt.net (Jon Lewis)
Date: Fri, 26 Jul 1996 17:24:18 +0200 (MET DST)
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.960726014609.15516q-100000@inorganic5.chem.ufl.edu> from "Jon Lewis" at Jul 26, 96 02:03:20 am
Hi,
> IP firewall forward rules, default policy: accept
> type prot source destination ports
> rej icmp 194.166.52.70 205.229.51.128/25 *
> deny all 194.166.52.70 205.229.51.128/25 n/a
I would suggest that you do a deny i.s.o. a reject for the ICMP packets.
You don't allow ICMP packets to go out anyway...
If you really want to use deny, to make the other system stop sending
(if you're lucky), you have to allow some outgoing ICMP packets.
> None of these rules seemed to stop 194.166.52.70 from ping flooding an
> address in 205.229.51.128/25 which was being used for a PPP connection.
> Am I doing something wrong, or is the firewalling code? I assume the
> forwarding rules are the ones I should be dealing with...and only tried
> the In/Out rules after getting no results from the forwarding ones.
Note that the accounting is done _before_ the input firewall, so you'll
see the incoming ICMP packets in the account statistics _even_ if they're
not accepted by the firewall.
Use "ipdwadm -Ile" to see how many packets/bytes matches with the
firewall rules (so you can see whether they were actually rejected or
not).
Hint: using the -o option, e.g. incombination with the account rules,
will make the kernel log one line of information about each packet.
This might make debugging more easy too.
> BTW...here's another thing that bugs me. I have all my boxes setup to
> email me the day's IP accounting and clear the counters nightly. One of
> the lines from the above system in the email'ed output was:
>
> 5010 4983K i/o icmp 13.229.51.128/25 anywhere any
>
> That line should have read (though it would have used names not numbers):
> 5010 4983K i/o icmp 205.229.51.128/25 0.0.0.0/0 *
This is an interesting one. You're missing the leftmost 2 bits here.
Could you please mail me the output of the "ipfwadm -Alxen" command
together with the output of "cat /proc/net/ip_acct"?
--
-- Jos Vos <jos@xos.nl>
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
