[ale] Grumbling Firewall Question

John Mills john at mills-atl.com
Thu Jan 25 14:43:24 EST 2001 


ALErs -

I used 'pmfirewall' set up 'ipchains' on my Linux-2.2.17 box, which sits
behind a router. This works finer (AFAIK), except I seem to deny one type
of packet I might be better off accepting.

Situation: I open an 'ssh' to a remote host with no problem; the remote
replies with a confirming packet which I deny, and log. Each time more is
sent to the remote, it's confirmation is denied, and logged. This is
amusing when I open another 'ssh' back from the remote, and command it:
'tail -f /var/log/messages' -- each transmission to the remote generates a
reply; each reply generates a log entry of its denial; each new line of
the log is sent to the remote; _ad_infinitum_. (Actually this was alarming
the first time I saw it, especially as it coincided with a short outage at
my ISP. I thought it was some kind of attack! &8-)

If I read the log correctly (just guessing, really), I think my rule #34
is denying a sequence of 'udp' packets (proto=17?) sent to sequential
ports at my firewall/router, which are being forwarded to my port 162.


Here is a snippet of '/var/log/messages':

***********************************************************************************
Jan 14 04:02:00 otter syslogd 1.3-3: restart.
Jan 14 04:03:51 otter inetd[417]: auth/tcp: bind: Address already in use
an 14 04:06:20 otter kernel: Packet log: input DENY eth0 PROTO=17 ROUTER_IP:4078 MY_HOST_IP:162 L=142 S=0x00 I=0 F=0x0000 T=64 (#34) 
Jan 14 04:06:20 otter kernel: Packet log: input DENY eth0 PROTO=17 ROUTER_IP:4079 MY_HOST_IP:162 L=142 S=0x00 I=0 F=0x0000 T=64 (#34) 
Jan 14 04:06:20 otter kernel: Packet log: input DENY eth0 PROTO=17 ROUTER_IP:4080 MY_HOST_IP:162 L=142 S=0x00 I=0 F=0x0000 T=64 (#34) 

[and so on and so on ...]

Jan 16 22:57:42 otter kernel: Packet log: input DENY eth0 PROTO=17 ROUTER_IP:34822 MY_HOST_IP:162 L=141 S=0x00 I=0 F=0x0000 T=64 (#34)
 
Jan 16 22:57:53 otter kernel: Packet log: input DENY eth0 PROTO=17 ROUTER_IP:34823 MY_HOST_IP:162 L=140 S=0x00 I=0 F=0x0000 T=64 (#34)
 
Jan 16 22:57:53 otter kernel: Packet log: input DENY eth0 PROTO=17 ROUTER_IP:34824 MY_HOST_IP:162 L=140 S=0x00 I=0 F=0x0000 T=64 (#34)
 
[and so on and so on ...]

***********************************************************************************

The ruleset reported by 'ipchains -L' includes:

***********************************************************************************
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     tcp  !y----  anywhere             192.168.1.0/24        any ->   any
DENY       all  ------  10.0.0.0/8           192.168.1.0/24        n/a
DENY       all  ------  127.0.0.0/8          192.168.1.0/24        n/a
DENY       all  ------  172.16.0.0/12        192.168.1.0/24        n/a

 [...]
 [my rule which permits 'ssh' logins:]
ACCEPT     tcp  ------  anywhere             192.168.1.0/24        any ->   ssh

 [...]

 [catchall final rejection rule, no.34:]
DENY       all  ----l-  anywhere             anywhere              n/a
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
 [...]
***********************************************************************************

Question: How should I write a rule (or _should_ I write a rule) to accept
these packets returned by my 'ssh' correspondent?

Thanks.
 - John Mills


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list