Nimda and Iptables
Chris Wilkes
cwilkes@ladro.com
Tue, 2 Oct 2001 18:34:10 -0700 (PDT)
> >
> > Bottom line: Don't use string match for dropping TCP packets.
> >
> > Scottie Shore <sshore@escape.ca>
Off the netfilter topic again, but would a good way of blocking Nimda from
getting out of your organization would be to have a web proxy server that
everyone has to go through, otherwise you'll drop the outbound port 80
packet?
Nimda probably doesn't know about the proxy server, nor knows how to go
through it. And when your firewall starts dropping hundreds of outbound
port 80's from your internal network you'll know quickly that you have a
problem.
What's the best way to set up alerts in netfilter? Have it write out the
dropped packet to syslog and have something tailing it and let that
program have metrics on who and when to contact admins?