Re: [PLUG] Firewall Check (HUGE POST)

Paul on Sat, 27 Sep 2003 22:25:24 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall Check (HUGE POST)

From: Paul <emailme@dpagin.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Firewall Check (HUGE POST)

Date: Sat, 27 Sep 2003 22:23:59 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Magnus Hedemark wrote:

On Friday 26 September 2003 06:21 pm, Paul wrote:

Please, scan me again. 68.46.172.168

I made this attempt to limit pings to one per second.

ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5

[root@tuna root]# ping -i .1 68.46.172.168 PING 68.46.172.168 (68.46.172.168) 56(84) bytes of data. 64 bytes from 68.46.172.168: icmp_seq=1 ttl=47 time=25.9 ms 64 bytes from 68.46.172.168: icmp_seq=2 ttl=47 time=25.6 ms 64 bytes from 68.46.172.168: icmp_seq=3 ttl=47 time=25.2 ms 64 bytes from 68.46.172.168: icmp_seq=4 ttl=47 time=26.4 ms 64 bytes from 68.46.172.168: icmp_seq=5 ttl=47 time=24.1 ms 64 bytes from 68.46.172.168: icmp_seq=10 ttl=47 time=25.4 ms 64 bytes from 68.46.172.168: icmp_seq=20 ttl=47 time=29.4 ms 64 bytes from 68.46.172.168: icmp_seq=29 ttl=47 time=24.7 ms 64 bytes from 68.46.172.168: icmp_seq=38 ttl=47 time=55.0 ms 64 bytes from 68.46.172.168: icmp_seq=47 ttl=47 time=25.7 ms 64 bytes from 68.46.172.168: icmp_seq=55 ttl=47 time=24.2 ms 64 bytes from 68.46.172.168: icmp_seq=65 ttl=47 time=24.2 ms 64 bytes from 68.46.172.168: icmp_seq=73 ttl=47 time=52.2 ms

So you can see an initial burst of 5/sec followed by roughly 1/sec getting through.

When I started playing with the packet size, somewhere around 5k my pings were denied altogether so it looks like you have greatly improved that hole as well.

Great! The ping limit actually works!

The other thing, I didn't consciously fix. I didn't do anything related to packet size. Hmm.

You should also see TCP 113 AUTH and UDP 53 DNS ports open now.

I see a *lot* more than that. Though AUTH is actually showing up as *closed*.

Port State Service 1/udp open tcpmux 2/udp open compressnet 3/udp open compressnet

Either I am not blocking any UDP ports or these are false positives. Since UDP is connectionless UDP scans are usually less reliable, right? I hope. I'll check my UDP rules.

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

References:

[PLUG] Firewall Check
From: Paul <emailme@dpagin.net>

Re: [PLUG] Firewall Check
From: Magnus Hedemark <chrish@trilug.org>

Re: [PLUG] Firewall Check
From: Paul <emailme@dpagin.net>

Re: [PLUG] Firewall Check (HUGE POST)
From: Magnus Hedemark <chrish@trilug.org>

Prev by Date: Re: [PLUG] Firewall Check (HUGE POST)

Next by Date: Re: [PLUG] Annual Phila Tech Fun Weekend

Previous by thread: Re: [PLUG] Firewall Check (HUGE POST)

Next by thread: RE: [PLUG] Firewall Check

Index(es):

Date

Thread