 |
02-19-2004, 09:41 PM
|
|
Senior Member
|
|
Join Date: May 2003
Location: Vienna, Austria
Posts: 116
|
|
packet filter violation still logged
Hi,
Because we are really suffering of attacks lately, the log files have grown very big and of course i've got thousands of mails about process using to much memory or to much cpu. the reason for that is that the kernel log files are getting really big, so I thought I make a packet filter rule at the last position that say any any any drop. But if I go to Filter Live Log there are entries. Why? What is going wrong here?
Thanks for all your responses,
Henrik
|
02-19-2004, 09:52 PM
|
|
Wizard
|
|
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,667
|
|
Re: packet filter violation still logged
you have to specify the interface you want the dropping to occur at..
so it would be any any internel(or external)_interface drop
|
02-20-2004, 02:45 AM
|
 |
Wizard
|
|
Join Date: Dec 2003
Location: Calgary, Alberta, Canada
Posts: 1,186
|
|
Re: packet filter violation still logged
Try a set of filters like these:
Any Any Broadcast32 Drop
PPTP-Pool Any Any Allow
Any { netbios } External_Interface__ Drop
Any { netbios } Internal_Broadcast__ Drop
Any { netbios } Internal_Network__ Drop
Any { netbios } Internal_Interface__ Drop
Any { Microsoft-SQL } Internal_Interface__ Drop
Any Microsoft-SMB Internal_Interface__ Drop
Any DNS External_Interface__ Drop
Any POP3 External_Interface__ Drop
Any SSH External_Interface__ Drop
Any Any Any Allow
These are some of the more general filters that I am now using.
Once they are applied, you can look in the live filter log for any additional repetitive packet behaviour that also needs to be filtered. Then simply create additional filters to meet your specific requirements.
|
02-20-2004, 05:37 AM
|
 |
Aussie moderator.
|
|
Join Date: Jun 2001
Location: Perth, Western Australia
Posts: 2,628
|
|
Re: packet filter violation still logged
Why have you got Any Any Any Allow as the last rule ?
Very unsafe.
|
02-20-2004, 07:43 AM
|
|
Wizard
|
|
Join Date: Dec 2003
Location: Calgary, Alberta, Canada
Posts: 1,186
|
|
Re: packet filter violation still logged
What would you recommend that I use instead?
I have 3 interfaces, Internal, External and Internal2, the latter being the DMZ net which has my FTP and Webmail servers.
I put in the Any Any Any Allow rule at the bottom to ensure that whatever I was not specifically blocking would get through. I agree with you that it is not the safest approach, and I should probably improve upon it, since I am planning to add a WiFi access point to the Internal2 DMZ net this year.
I am open to suggestions.
|
02-21-2004, 02:16 AM
|
|
Member
|
|
Join Date: Jan 2004
Location: St.Louis, MO USA
Posts: 92
|
|
Re: packet filter violation still logged
Just a thought would it not be better to define the service for the FTP/Webserver so if you are running other services on the boxes on that subnet you would define the service dnat/snat it and the use the packet filter to allow access to those ports that you need service to ?
I guess that what I am saying that I have pretty much the same setup that you have and but I have not the
any any any allow just seems to be vulnrable to exploit.
What I did on my DMZ subnet in 192.168.3.8 which is my webserver that I also run teamspeak on is define the service for teamspeak and dnat/snat and use the packet filter.
Unless of course you have a many many services that you need and dont want to set each of them up and use the any any any allow just a thought
|
02-21-2004, 09:54 AM
|
|
Senior Member
|
|
Join Date: Mar 2002
Location: sweden
Posts: 140
|
|
Re: packet filter violation still logged
[ QUOTE ]
I put in the Any Any Any Allow rule at the bottom to ensure that whatever I was not specifically blocking would get through.
[/ QUOTE ]
I would rather think the opposite way..... dont allow anything unless said so. [img]/images/graemlins/smile.gif[/img]
|
02-21-2004, 07:13 PM
|
|
Wizard
|
|
Join Date: Dec 2003
Location: Calgary, Alberta, Canada
Posts: 1,186
|
|
Re: packet filter violation still logged
I have taken your advice. I created a number of specific service based allow rules, and turned off the Any Any Any Allow that I had at the bottom of my filter list. I guess I was just being lazy before, trying to do it the easy way. I am now up to a count of 27 filter rules, and I can already see that I might have to add some more soon.
Does anyone have a good, comprehensive filter list that they would like to show off as a sample template?
|
02-23-2004, 01:55 AM
|
|
Aussie moderator.
|
|
Join Date: Jun 2001
Location: Perth, Western Australia
Posts: 2,628
|
|
Re: packet filter violation still logged
My rules appear similar to below:
1) Any Any Any [Disabled (for testing only)]
2) PrivateLAN Any Any (Allow any lan traffic OUT)
(At work I actually specified a service group of allowed protocols for this instead of ANY service).
3) Any {web services} Webserver (Create a service group called {webservices} which has HTTP, HTTPS etc.
4) Any {DNS} DNS_Server.. etc etc...
Try to use groups as much as possible.
|
02-23-2004, 04:55 PM
|
|
Wizard
|
|
Join Date: Dec 2003
Location: Calgary, Alberta, Canada
Posts: 1,186
|
|
Re: packet filter violation still logged
I have taken your advice, and I have now created three service groups:
Services - containing all the services that I want to keep open from Any to Any.
Drop - Containing all those services on the Internal LAN that I want dropped at the Internal_Interface, so that they don't fill the kernel log with junk.
Hidden - Containing all those services otherwise visible on the External_Interface that I want to keep hidden from the outside world.
That cleaned up my filter list a lot, it is now down to just 7 lines.
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 08:37 PM.
| |  |
