how to reduse false positives?
Wed, 16 Jan 2002 10:22:57 -0800
> i wondering if there is a generaly execepted way to help reduse false
> positives that i feal are being caused by my nat/proxy making requests
> from ports that i am droping on my iptables.
> correct me if im wrong, but here is my thinking, request goes to squid
> and squid grabes a random port and requests the page. i am droping several
> high ports hoping to protect my winddows clients, and ocasionaly squid
> makes a request from one of those ports, which is of cource not going to work
> because iptables dropes the reply when it comes back.
> ok, squid is not the only problem, im doing nat for some stuff on my
> network, and nat apears to do the same thing.
> so i guess the question is, is there some program i can run my linux box
> that will make these port unavailabe to aplications somehow? or do i not
> have my iptables set up corectly?
First, you do not need to drop all packets on these ports. You only need to
drop the packets with the SYN bit. This will prevent outside connections to
your box and allow local programs to bind to the port when connecting out.
Second, if you are not already using it, I highly suggest using the state
tracking in iptables. Allowing ESTABLISHED,RELATED packets as your first
rule will save some processing time because most packets will get accepted
at the first rule they encounter.