Paul on Sat, 27 Sep 2003 22:25:24 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall Check (HUGE POST)

Magnus Hedemark wrote:

On Friday 26 September 2003 06:21 pm, Paul wrote:

Please, scan me again.

I made this attempt to limit pings to one per second.

ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 1/sec burst 5

[root@tuna root]# ping -i .1 PING ( 56(84) bytes of data. 64 bytes from icmp_seq=1 ttl=47 time=25.9 ms 64 bytes from icmp_seq=2 ttl=47 time=25.6 ms 64 bytes from icmp_seq=3 ttl=47 time=25.2 ms 64 bytes from icmp_seq=4 ttl=47 time=26.4 ms 64 bytes from icmp_seq=5 ttl=47 time=24.1 ms 64 bytes from icmp_seq=10 ttl=47 time=25.4 ms 64 bytes from icmp_seq=20 ttl=47 time=29.4 ms 64 bytes from icmp_seq=29 ttl=47 time=24.7 ms 64 bytes from icmp_seq=38 ttl=47 time=55.0 ms 64 bytes from icmp_seq=47 ttl=47 time=25.7 ms 64 bytes from icmp_seq=55 ttl=47 time=24.2 ms 64 bytes from icmp_seq=65 ttl=47 time=24.2 ms 64 bytes from icmp_seq=73 ttl=47 time=52.2 ms

So you can see an initial burst of 5/sec followed by roughly 1/sec getting through.

When I started playing with the packet size, somewhere around 5k my pings were denied altogether so it looks like you have greatly improved that hole as well.

Great! The ping limit actually works!

The other thing, I didn't consciously fix. I didn't do anything related to packet size. Hmm.

You should also see TCP 113 AUTH and UDP 53 DNS ports open now.

I see a *lot* more than that. Though AUTH is actually showing up as *closed*.

Port State Service
1/udp open tcpmux
2/udp open compressnet
3/udp open compressnet

Either I am not blocking any UDP ports or these are false positives. Since UDP is connectionless UDP scans are usually less reliable, right? I hope. I'll check my UDP rules.

Philadelphia Linux Users Group        --
Announcements -
General Discussion  --