Re: Block martians with source address 127.0.0.1

• Previous message: Ross Vandegrift: "Re: Block martians with source address 127.0.0.1"
• Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
• Next in thread: LFM: "Re: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 1 Jun 2004 07:33:26 -0400 (EDT)
To: "focus-linux@securityfocus.com" <focus-linux@securityfocus.com>

On Mon, 31 May 2004, Bjørn Rasmussen wrote:

> iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG iptables -A
> INPUT -i eth0 -s 127.0.0.1 -j DROP
>
> The kernel on the firewall logs these packets as martians
> which it should do, but my rules will not log or block
> these packets. Anybody who knows how to do it? Is it
> possible?

With the kernel's IP-Chains (and probably IP-Tables) the
first chain (rule) that matches a packet is applied to it,
and ONLY THE FIRST RULE THAT MATCHES IS APPLIED to a packet.
So, whenever the kernel matches a packet with:

        "iptables -A INPUT -i eth0 -s 127.0.0.1 ..."

it then attempts to apply " -j LOG" without doing anything
else to the packet. It simply moves on to checking the next
packet after that. Therefore, the order of rules is always
extremely important. If the "-j DROP" rule instead came
before the "-j LOG" rule, then the matching packets would
silently disappear ("DROP") without ever being logged;
because the matching "DROP" rule came before the matching
"LOG" rule. If you want two actions taken such as drop and
log, then these commands must be in the the same rule: on
the same line. For instance, this would probably work:

        "-j DROP --log-level 5"

By the way, from briefly browsing the documents, it appears
that your syntax is incorrect as well. Please notice the
differences in my "-j" parameters, and read the
documentation.

Please pardon me while I pick on you for the sake of the
greater good. Your problems are representative of general
newbie mistakes caused by having the wrong attitudes about
operating systems and network security. I call it the
"Microsoft Effect" on computing (one of the effects). You
see: you took a user-friendly (possibly point and click)
program (or template or script) to automatically manage your
security. You avoided the frustrating and time consuming
process of reading the technical documents. It was all too
easy. Now you are in a situation of not understanding the
how or why things work as they do. Your laziness will
continue to place you at risk, and potentially allow your
machines to become a menace to the the global network. If
that happens, YOU will be every bit as responsible for the
problems as the script kiddies who took advantage of you.
In legal terms, it is called "negligence". Until you
endeavor to learn about the security of whatever operating
system that you use; you will remain irresponsible. I also
contend that attaching certain operating systems to the
global Internet is irresponsible in any configuration; but
that would be another rant. Some people assume that since a
person is not allowed to view and change firewalling at a
core level using Windows that these activities should not be
necessary with unices. Again, this is the "Microsoft
Effect". The unices have traditionally had much better security
because they forced administrators to understand the how
and why things work as they do. The "unfriendliness" that
the unices are notorious for was a security blessing --
since it forced lazy people to use other operating systems. As
more software is created to make Linux easier, these sort of
situations will become common. Its security reputation will
be unjustly tarnished.

-- 
  Thomas Corriher
  A.I.M.: corriherct
  phone: 336-391-2713
  "I think anybody who doesn't think
  I'm smart enough to handle the job is
  misunderestimating."
    -- George W. Bush

• Previous message: Ross Vandegrift: "Re: Block martians with source address 127.0.0.1"
• Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
• Next in thread: LFM: "Re: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NEWS] Downgrading the Oracle Native Authentication ... Get your security news from a reliable source. ... Oracle native authentication protocols are typical challenge-response ... After some negotiation the client sends the username. ... calls it packet version ... (Securiteam) Re: [fw-wiz] Security policy language ... specification language for the definition of a security policy, ... something that should let to specify the policy at organizational ... taxonomy, not an actual grammar. ... a log line or whatever (i.e., a packet filter or regex), a vulnerability ... (Firewall-Wizards) [NEWS] Borland Interbase 2007 Integer Overflow ... Get your security news from a reliable source. ... Borland Interbase 2007 Integer Overflow ... overflow when a malformed packet is sent to the default TCP port 3050. ... (Securiteam) [UNIX] Security Analysis of VTun ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can modify ... Packet forwarding: ... password) as encryption key. ... (Securiteam) [NEWS] Multiple IPSEC Implementations Do Not Adequately Validate Authentication Data (DoS) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IPSEC supports integrity and authentication for IP traffic by including a ... It includes specification for two types of packets, ESP ... packet level encryption. ... (Securiteam)