Re: What is this?
From: Anders (andersajja_at_hotmail.com)
Date: 10/01/05
- Next message: info: "Re: Small office firewall/vpn/security appliance"
- Previous message: Sir_George: "Re: Small office firewall/vpn/security appliance"
- Next in thread: Moe Trin: "Re: What is this?"
- Reply: Moe Trin: "Re: What is this?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 01 Oct 2005 15:31:55 GMT
Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <C6R_e.34914$d5.190080@newsb.telia.net>, Anders wrote:
>
>
>>But I do realise that if I want to make use of my one mail/web and ftp
>>server I do have to open up a litle.
>
>
> Yes, but you can restrict the range of addresses allowed to connect.
> Depending on the application, this may be a local configuration file, or
> it may be done with tcp_wrappers (man 5 hosts_access) if the application
> is run out of inetd/xinetd or is compiled with libwrap, or it may have
> to be done with a firewall setup. As far as mail goes, unless your host
> is published as a MX server (see the DNS stuff), no one other than the
> port scanners are going to know you have a mail server, and your ISP
> could be blocking inbound 25 anyway (all three of mine do) for spam control.
>
>
> The basic concept of DNS is relatively simple, but there are a lot of
> details to look at. Running a DNS server for a home LAN of less than 10
> systems is often a waste of effort (just put everything in /etc/hosts),
> but popular Linux distributions often have tools to set up a simple
> server that is authoritative for the local LAN, and forwards all other
> requests to the ISP, caching the result. For example, Red Hat (Fedora FC4)
> has
>
> -rw-r--r-- 1 mirror mirror 22749 Jan 5 23:04
> caching-nameserver-7.3-3.noarch.rpm
>
> to configure ISC Bind for this purpose.
>
I am planning to make use of Debian (on an older Celeron) for my server
experiments,
after I am finished with this LFS I am working on, I am a litle bit lazy
so it will take some time.
I also have to read up a lot on the DNS and find out what it is I want
to do.
>
> [compton ~]$ whatis hping2
> hping2 (8)- send (almost) arbitrary TCP/IP packets to network hosts
> [compton ~]$
>
I dit apt-get my own hping, and after that I had played a litle with it,
I had to look in my snort log, becuse I dident get any respond from my
firewall.
I did find over 700 hits.
One of the explanation for what had hapend on snort.org was this:
""BAD-TRAFFIC tcp port 0 traffic
This event is generated when TCP traffic to port 0 is detected.
This should not be seen in normal TCP communications.
This may be an attempt to verify the existance of a host or hosts at a
particular address or address range.
TCP traffic to port 0 is not valid under normal circumstances.""
Have to be careful with this tool.
>
> I looked around the web site, but didn't find anything useful relating
> to the modification.
>
> Old guy
First, I have to apologize for the "traceroute -S udp p53", the udp part
should not be in there at all, it is an blunder made by me, I can only
blame my self for that, did not dubbel check it,I am sorry.
Second, yes you are rigth, I did start to looking after anything related
to Michael Schiffman and traceroute, and on this site,
"http://home.comcast.net/~dtgm/network/network.html" I find this:
""traceroute
Michael Schiffman patch stops increment enabling user to use 1 fixed
UDP port number (i.e. port 53)
http://www.pakcetfactory.net/Projects/firewalk/traceroute.diff"", but
the link does not seem to work.
I even downloded the traceroute 1.4a5 from the ftp site and looked in
the packet but there is nothing about him in there.
But I find this insted on
"http://www.packetfactory.net/firewalk/firewalk-final.html":
__________________________
""You will notice that the scan terminates immediately after the target
port is passed. This is due to the fact that traceroute continues to
increase the port numbers for each probe sent. The probe immediately
after the successful one will be denied by the ACL on the firewall. To
possibly get further, a simple modification to traceroute can be done to
add a command line switch to stop port incrementation (Figure 5). This
allows us to force every probe we send to be acceptable to the
firewall’s ACL (a side effect being that we might not get the normal
ICMP unreachable message from the ultimate destination due to the fact
that there might actually be something listening on the other end). See
appendix A for the source code patch.
zuul:~>traceroute -S –p53 10.0.0.15
traceroute to 10.0.0.15 (10.0.0.15), 30 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 0.516 ms 0.396 ms 0.390 ms
2 10.0.0.2 (10.0.0.2) 2.516 ms 2.476 ms 2.431 ms
3 10.0.0.3 (10.0.0.3) 5.060 ms 4.848 ms 4.721 ms
...
...
12 10.0.0.12 (10.0.0.12) 192.196 ms 185.265 ms *
13 10.0.0.13 (10.0.0.13) 168.151 ms 183.238 ms 183.458 ms
14 10.0.0.14 (10.0.0.14) 218.972 ms 209.388 ms 195.686 ms
15 10.0.0.15 (10.0.0.15) 236.102 ms 237.208 ms 230.185 ms
Figure 5""
___________________________
Anders
- Next message: info: "Re: Small office firewall/vpn/security appliance"
- Previous message: Sir_George: "Re: Small office firewall/vpn/security appliance"
- Next in thread: Moe Trin: "Re: What is this?"
- Reply: Moe Trin: "Re: What is this?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
