block Nimda

[Chris Wilkes]

He's saying the source ISNT from 217.x.  But that's a rather odd way of
doing it, I would put a rule before that saying to DROP anything that
comes from that subnet.  Also, like you said, change the subnet.

But you should have nothing to fear from this attack as you're properly
patched up, right? :)  Its just another thing that could bite you in the
ass later on when a management type says "why can't some people get to our
website?"

Chris


On Wed, 17 Oct 2001, Johnny Tang wrote:

> You set the subnet mask as /32.  And it's set to accept.  What are you 
> trying to accomplish?
> 
> Thanks,
> Fei
> 
> 
> >From: "Frank" <duranicub@gmx.net>
> >To: <netfilter@lists.samba.org>
> >Subject: block Nimda
> >$IPTABLES -t filter -A INPUT -p tcp --dport 80 -s ! 217.0.0.0/32 -m
> >state --state NEW,ESTABLISHED -j ACCEPT
> >$IPTABLES -t filter -A OUTPUT -p tcp --sport 80 -d ! 217.0.0.0/32 -m
> >state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >
> >but this seems does nothing anyhing affecting ... the Network 217.x.x.x is 
> >a
> >Internet Subnet. Is there an
> >Syntax roblem or anything else ?