Full Disclosure mailing list archives

Re: closing ports

From: Valdis.Kletnieks () vt edu
Date: Fri, 07 Nov 2003 11:28:04 -0500

On Fri, 07 Nov 2003 15:30:56 +0200, hena <hena () hack fi>  said:

if your running linux try something like
iptables -t filter -A INPUT -p tcp -s 0.0.0.0 --syn -j REJECT
--reject-with tcp-reset


that -s 0.0.0.0 won't do what you think. (It will drop all packets
that have a source address of 0.0.0.0).  I'd not bet on getting
right results from '-s 0.0.0.0/0' either. You probably want to:

a) Leave the -s 0.0.0.0 off entirely.
b) Make this the *last* rule, and have other accepting rules before it.
c) Include a ' -m limit --limit 4/sec -j LOG' rule or similar, so you know
what it is you're dropping on the floor.
d) Actually *LOOK AT* what (c) produces (yes, a daily summary via Perl script
is OK).

Many sites don't bother doing (d) and then get surprised when they get
blindsided by something that the logs had given fair warning for....

Attachment: _bin
Description:

Current thread:

closing ports Christ-Henning Ljosheim (Nov 07)
- Re: closing ports Charles E. Hill (Nov 07)
- Re: closing ports Valdis . Kletnieks (Nov 07)
- Re: closing ports hena (Nov 07)
  - Re: closing ports Valdis . Kletnieks (Nov 07)
- Re: closing ports Blue Boar (Nov 07)
- <Possible follow-ups>
- Re: closing ports marko (Nov 07)
- RE: closing ports Anjan Dave (Nov 07)