RE: iptables anti-nimda anyone?

From: Eric Mroczka (emroczka@dimage.com)
Date: 09/25/01 

Subject: RE: iptables anti-nimda anyone?
Date: Tue, 25 Sep 2001 09:03:14 -0400
Message-ID: <3698A5F976AF6144BA4C208D0B17C028019293@mickey.dimage.com>
From: "Eric Mroczka" <emroczka@dimage.com>
To: "Trevor Benson" <tbenson@gdxinc.com>

From: Trevor Benson
>
> A rather good solution to start off before doing the
> firewall rules to
> sort or check or inspect strings would be to adjust your router to the
> Internets ACL's. This way you create control lists basted on
> the external
> interface to your router, these list that the only systems
> allowed to get
> port 80 traffic are legitimate web address's you have to
> offer web servers
> on. Thus if you have a block of IP's on the internet, and
> the firewall
> services them all, you cut out all but the 1-2 legitimate
> IP's that should
> get port 80 requests. This will alleviate the congestion on
> your Internet
> connection. In most cases unless you have a single IP address on the
> Internet, this will cut down the bandwidth loss dramatically.
> Keeping most
> of the traffic with your ISP, rather then your firewall
> defending it. Then

  I agree with the concept of filtering out the unnecessary traffic at
your border router but your pipe from your ISP is still going to get the
traffic. The ACLs you are referring to will simply keep the traffic
from passing through your router. They will not keep the traffic from
flooding your Internet connection to begin with. If enough machines are
trying to flood your block of addresses your going to suffer-unless you
can convince your ISP to filter the packets before they get into your
Internet pipe.

------
Eric Mroczka
emroczka@dimage.com
Digital Image Studios, Inc.
www.dimage.com

Relevant Pages

  • Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN
    ... Internet over different paths after that. ... With a single LAN Router for all the segments, ... Then each "business" uses the Firewall they are supposed to use for the ...
    (microsoft.public.windows.server.networking)
  • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
    ... >It will be a while I get the router and do that. ... >> labelling on the box to be sure it has firewall features. ... name, like Disconnect from Internet, and click Finish. ... generally talking only about "critical patches" that affect security. ...
    (comp.security.firewalls)
  • Re: Networking problems with router between 2 p.c.s
    ... >> router for internet access. ... >> disable the internet connection firewall in the LAN ... isn't suitable for use on a local area network. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Is this a wise configuration?
    ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
    (comp.os.linux.networking)
  • Re: DMZ (De-militarized Zone)
    ... > Cisco 800 series router which gets configured by our ISP! ... > firewall software and 3 NIC) to used instead of a Router/Firewall? ...
    (comp.security.firewalls)