Re: lug-bg: parvi stapki
- Subject: Re: lug-bg: parvi stapki
- From: erzr@xxxxxxxxxx (Peter Valchev)
- Date: Thu, 7 Sep 2000 01:43:56 +0000
Suddenly on Wed, Sep 06, 2000 at 07:30:00PM +0900, Julian Stoev wrote:
: Neshto ne mi haresva kak ti e nastroen firewall-a, che i nagore po
: tvoia ISP?? Kakyv e toia firewall, koito puska paketi ot 10.0.0.1????
:
: IMHO takiva paketi ot vynshnata mreza triabva vednaga da se DENY-vat.
:
: Iskam da ti predloza da otidesh eto na tozi adres
: http://www.linux-firewall-tools.com/linux/firewall/index.html
:
: i ako ti administrirash tozi firewall, da go configurirash nanovo.
: Mislia, che po default ti generira pravila s koito takiva "faked"
: paketi se razkarvat.
:
: Znaniata mi stigat do tuka. Spored men triabva da se obadish i na
: tvoia provider i da go pitash kak taka takiva paketi stigat do tebe.
: Spored men tozi problem moze da se reshi samo sys sydeistvie na
: providera. Tolkova ot men....
:
: >:-[
:
: --JS
:
: PS. I si pomisli dali sluchaino niakoi ot localnata mreza ne ti igrae
: niakakyv nomer. Samo predpolozenie....
:
: On Wed, Sep 06, 2000 at 11:19:58AM +0200, ISM Kolemanov, Ivan wrote:
: |Snort report:
: |Sep 4 21:31:43 211.34.121.57:2429 -> my1st_DMZ-IP:21 SYN **S*****
: |...
: |Sep 4 21:31:43 211.34.121.57:2443 -> mylast_DMZ-IP:21 SYN **S*****
: |
: |Sep 5 14:35:02 10.0.0.1:21 -> my1st_DMZ-IP:21 SYNFIN **SF****
: |...
: |Sep 5 14:35:02 10.0.0.1:21 -> mylast_DMZ-IP:21 SYNFIN **SF****
: |
: |IPFilter log:
: |ipflog.0:Sep 5 14:26:23 tangra ipmon[31411]: 14:26:23.057576
: | xl0 @1:4 b 10.0.0.1,21 -> 255.255.255.255,21 PR tcp len 20 40
: |-SF IN
: |ipflog.0:Sep 5 14:26:23 tangra ipmon[31411]: 14:26:23.096216
: | xl0 @1:4 b 10.0.0.1,21 -> mygateIP,21 PR tcp len 20 40 -SF IN
: |ipflog.0:Sep 5 14:35:02 tangra ipmon[31411]: 14:35:02.038646
: | xl0 @1:4 b 10.0.0.1,21 -> my1st_DMZ-IP,21 PR tcp len 20 40 -SF IN
: |...
: |ipflog.0:Sep 5 14:35:05 tangra ipmon[31411]: 14:35:05.319257
: | xl0 @1:4 b 10.0.0.1,21 -> mylast_DMZ-IP,21 PR tcp len 20 40 -SF IN
: |
Az taka kato gledam, mi mirishe na RawIP.
I ne vijdam zashto vsichki reshihte che packetite firewalla gi "puska" ?!
Otnosno tezi, ne zapoznati s ipfilter i suotvetno samia ipmon,
eto kratko obiasnenie na format-a:
ipflog.0:Sep 5 14:35:05 tangra ipmon[31411]: 14:35:05.319257
xl0 @1:4 b 10.0.0.1,21 -> mylast_DMZ-IP,21 PR tcp len 20 40 -SF IN
Purvoto pole e iasno - timestamp. Sledvashtoto sushto - interface-a, na koito se
sluchva tova. Tretoto (@1:4) pokazva imeto na "rule", koito hvashta packeta.
(ipfstat -in). Za da se razbere otkade idva, v sluchaia, triabva da se pogledne rule
4 v group 1.
Chetvurtoto pole, malkoto "b", pokazva, che packeta e 'blocked'. Analogichno "p"
oznachava 'passed'. 5 i 6 poleta sa iasni - otkade idva packeta i nakude otiva.
7 ("PR") i 8 pokazvat protocol-a i goleminata na packeta.
Poslednoto "IN" pokazva che packeta 'idva', a "-SF" pokazva 'flags' na packeta - v
sluchaia SYN.
e .. malko se otvliakoh.
Ta v log-a prekrasno se vijda *block*, no ne mu e tam problema na choveka - celta
e da se razbere realnoto ip, koeto stoi zad vsichko tova. A 10.0.0 ne oznachava
nishto drugo, osven malka shega.. sus sushtia uspeh tova ip mojeshe da bude i
216.32.74.53 ... primerno .. tui che rules na ipf ne vurshat osobena rabota...
i vaobshte blokiraneto ne pomaga osobeno i ne e reshenie.
Svurji se s dostavchika ti, puk dano tam da mogat da napraviat neshto! Ili naemi
chasten detective da otkrie vinovnika po sledite. :))
No i na men mi e dosta interesno kak moje da se 'detect' podobno neshto,
dosega ne sum uspial da napravia nishto podobno. Dokolkoto sum chel i si
spomniam, Cisco imat podobni "builtins"... (za sujalenie vuobshte ne sum
zapoznat podrobno). No otnosno bpf(4) si nqmam idea, a i na men mi e interesno :(
Vse pak mai ima niakakva informacia v header-a, koiato ostava zabelejima ...
Otnosno RawIP (Raw Sockets), mojesh da poglednesh:
http://www.packetfactory.net/libnet/manual/4.html
kadeto e dobre obiasneno ...
-erzr.
--
$Id: .signature,v 1.145 2000/09/02 12:36:17 erzr Exp $
* Peter Valchev
* erzr@xxxxxxxxxxxxxx
* www.toxiclinux.org/pgpkey.txt
==================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
Otpiswaneto RABOTI !!! : Majordomo@xxxxxxxxxxxxxxxxxx UNSUBSCRIBE LUG-BG
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|