Re: Weird iptables issue
From: scott@_nospam_scottsavarese.com
Date: 01/24/03
- Next message: Wojtek Walczak: "Re: ssh"
- Previous message: Edu: "Re: Help proxy_arp"
- In reply to: Allen Kistler: "Re: Weird iptables issue"
- Next in thread: scott@_nospam_scottsavarese.com: "Re: Weird iptables issue"
- Reply: scott@_nospam_scottsavarese.com: "Re: Weird iptables issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: scott@_nospam_scottsavarese.com Date: 24 Jan 2003 16:28:00 GMT
Allen Kistler <akistler@ameritech.net> wrote:
> scott@_nospam_scottsavarese.com wrote:
>> [snip]
>>
>> I have a server that has two nics. On the internal side (wireless using
>> linksys access point to connect) dhcpd (the latest version) is configured
>> to serve addresses. I have set up a rule in iptables to only allow a
>> particular MAC address to make connections to the server. The system that
>> owns that mac address is turned off. I also have a laptop inside my
>> network. When I go to turn the laptop on it was able to get an IP
>> address. I don't have a rule to allow that MAC address access to the
>> server.
>>
>> I do have a LOG rule on my INPUT chain. The LOG rule is the last rule
>> before the INPUT chain DROPs the packet. I do see an entry in the firewall
>> log for the dhcp request:
>>
>> Jan 21 06:41:52 src@skibum firewall: INPUT: IN=eth1 [snip]
>>
>> So I thought that iptables should drop that packet. However I see a reply
>> to the packet from my dhcp server. I have no idea why the server would
>> reply. ...
> Yes, odd, if you really see a response. After the INPUT LOG is the
> default drop.
Yes... I am definantly seeing a response which is something I don't
get. I have two hypotheses that need testing but I am either thinking that
it has something to do with the fact that the client is sending to
255.255.255.255 or that there is something in the packet set such that the
system thinks it is an established/related connection... Am I missing
anything in my rules for broadcast packets such as this?
>> ... Also interesting... I ran an nmap -sU -P0 -p '60-70' 10.24.0.1
>> (local IP address), it returns telling me that all ports are open. Which
>> they shouldn't be (the laptop should see no ports open since the server
>> should drop all packets from it).
>>
>> Can somebody explain why it happens? Attached is my iptables -L -v output
> All your UDP ports that are dropped will show as open to nmap. No
> response to a UDP packet means (to the sender) it was accepted. ICMP
> destination-port-unreachable is the proper (i.e., RFC-compliant)
> response to a closed UDP port.
> Personally, I'd say, "No big deal." If someone wants to think all your
> UDP ports are listening, let them. Most folks with a scanner know that
> "silence" to all probes most likely means "firewalled" for UDP.
Yeah, let them think its firewalled... It is good because they won't know
the difference between any open ports and ports that are actually
closed... I also don't like wasting bandwidth with replies to unwanted
packets. As long as it is normal, then I am happy... I just thought it was
related to the above problem...
Thanks for the help...Scott
- Next message: Wojtek Walczak: "Re: ssh"
- Previous message: Edu: "Re: Help proxy_arp"
- In reply to: Allen Kistler: "Re: Weird iptables issue"
- Next in thread: scott@_nospam_scottsavarese.com: "Re: Weird iptables issue"
- Reply: scott@_nospam_scottsavarese.com: "Re: Weird iptables issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
