Being a good netezen, with iptables.
Mon, 25 Mar 2002 20:46:09 -0500
On Mon, Mar 25, 2002 at 05:30:46PM -0800, Rob Finneran wrote:
> Good topic.
> I've read a CERT that states that ISP should practice being good net citizen
> by not allowing packets with spoofed IP addresses to leave there networks.
It's easier said than done. First of all, it should be done on the edge,
otherwise a transit network cannot distinguish between a spoofed or a
valid transit packet; secondly just imagine what the impact would be to
filter on oc12 or 48 or even 192 interfaces... Another point is that not
all spoofed packets are from different ISP's or even segments of an ISP, so
there is still possibility for a spoofer to spoof...
But in general, I agree, spoofed packets should get identified and dropped
as early as possible, ideally on the very first hop.
> Maybe I'm a little naive, but if everyone did this, wouldn't this prevent
> the majority of hack attacks?
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com]On Behalf Of Daniel F. Chief
> Security Engineer -
> Sent: Monday, March 25, 2002 2:31 PM
> To: Netfilter - Mail list
> Subject: Being a good netezen, with iptables.
> This may be more philosophical than technical.
> I have several gateway firewalls using iptables : )
> Big ones each one can see at peak around 100+ Mbs. I have many rules for
> ports that are filtered to REJECT with am ICMP port or host unreachable.
> time to time I get e-mails from other _admins_ saying "Your IP
> xxx.xxx.xxx.xxx is attacking us" some of them include packet logs showing
> the ICMP packets coming from my firewall. So basically I tell them to check
> out their own system as I know my firewalls are secure(of course i check
> out every time because Im paranoid). Telling them that it is possible that
> some one spoofed their IP while sending me packets. But it could be port
> scanners who may own the other guys box or have an account there which
> them to portscan.
> By using the REJECTS to me seems it would possibly draw attention to these
> systems that are doing such naughty things when a netadmin hopefully sees
> potentially hundreds of ICMP port unreachable coming in to his network
> for one machine. I know I have filters setup to see this kind of stuff and
> alert me to the possibility of a compromised machine.
> Im not trying to start a _Holy_war_ between DROP and REJECT fans, Just
> wondering what the consenses is here. What should a good netezen do these
> Chief Security Engineer | Daniel Fairchild firstname.lastname@example.org
> Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.