Firewall: Flooded with DENY messages

Firewall: Flooded with DENY messages

Post by Roel » Fri, 19 Jan 2001 04:47:23



Hi All,

I'm running slackware 7.0 (kernel 2.2.13) and an ipchains firewall
(ipchains 1.3.9). Except for some ports (httpd, ssh, Quake, etc.) all
incoming traffic will be denied.
My problem is that the firewall denies packages not intended for me,
this causes the messages file to be flooded with denies unrelated to
eventual attacks to my machine.
See an excerpt of the messages file (the destination IP address, i.e.
131.155.226.127, is NOT my machine).

Jan 17 20:34:38 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.105:138 131.155.226.127:138 L=236 S=0x00 I=63277 F=0x0000
T=128 (#45)
Jan 17 20:34:55 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.121:137 131.155.226.127:137 L=78 S=0x00 I=9376 F=0x0000
T=128 (#45)
Jan 17 20:34:55 *dyne kernel: Packet log: input DENY eth0 PROTO=2
131.155.226.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=12303 F=0x0000 T=1
(#45)
Jan 17 20:34:56 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.121:137 131.155.226.127:137 L=78 S=0x00 I=9377 F=0x0000
T=128 (#45)
Jan 17 20:34:56 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.121:137 131.155.226.127:137 L=78 S=0x00 I=9378 F=0x0000
T=128 (#45)
Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.115:138 131.155.226.127:138 L=245 S=0x00 I=869 F=0x0000
T=128 (#45)
Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.101:138 131.155.226.127:138 L=262 S=0x00 I=57870 F=0x0000
T=128 (#45)
Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.10:138 131.155.226.127:138 L=234 S=0x00 I=26128 F=0x0000
T=128 (#45)
Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.105:138 131.155.226.127:138 L=239 S=0x00 I=64813 F=0x0000
T=128 (#45)
Jan 17 20:35:38 *dyne kernel: Packet log: input DENY eth0 PROTO=17
131.155.226.105:138 131.155.226.127:138 L=236 S=0x00 I=814 F=0x0000
T=128 (#45)
Jan 17 20:35:56 *dyne kernel: Packet log: input DENY eth0 PROTO=2
131.155.226.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=12413 F=0x0000 T=1
(#45)

Any Ideas,

Thx.

 
 
 

Firewall: Flooded with DENY messages

Post by Non » Fri, 19 Jan 2001 11:54:49




> Hi All,

> I'm running slackware 7.0 (kernel 2.2.13) and an ipchains firewall
> (ipchains 1.3.9). Except for some ports (httpd, ssh, Quake, etc.) all
> incoming traffic will be denied.
> My problem is that the firewall denies packages not intended for me,
> this causes the messages file to be flooded with denies unrelated to
> eventual attacks to my machine.
> See an excerpt of the messages file (the destination IP address, i.e.
> 131.155.226.127, is NOT my machine).

> Jan 17 20:34:38 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.105:138 131.155.226.127:138 L=236 S=0x00 I=63277 F=0x0000
> T=128 (#45)

[swack]

The easiest thing is just to DENY and not log any packet not to your IP(s) or put
in a switch and that will get ride of alot of it too. the .127 is
broadcast or multicast I think so the switch might not help there.

 
 
 

Firewall: Flooded with DENY messages

Post by Roel » Sat, 20 Jan 2001 01:28:08



> The easiest thing is just to DENY and not log any packet not to your IP(s) or put
> in a switch and that will get ride of alot of it too. the .127 is
> broadcast or multicast I think so the switch might not help there.

Thx, the first sollution did the trick. Added one line "$IPCHAINS -A input ! -d
$LOCALNET -j DENY" just before the line to log and DENY evething else.
 
 
 

Firewall: Flooded with DENY messages

Post by Bill Hudso » Sat, 20 Jan 2001 01:30:08





> > Hi All,

> > I'm running slackware 7.0 (kernel 2.2.13) and an ipchains firewall
> > (ipchains 1.3.9). Except for some ports (httpd, ssh, Quake, etc.) all
> > incoming traffic will be denied.
> > My problem is that the firewall denies packages not intended for me,
> > this causes the messages file to be flooded with denies unrelated to
> > eventual attacks to my machine.
> > See an excerpt of the messages file (the destination IP address, i.e.
> > 131.155.226.127, is NOT my machine).

> > Jan 17 20:34:38 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> > 131.155.226.105:138 131.155.226.127:138 L=236 S=0x00 I=63277 F=0x0000
> > T=128 (#45)
> [swack]

> The easiest thing is just to DENY and not log any packet not to your IP(s) or put
> in a switch and that will get ride of alot of it too. the .127 is
> broadcast or multicast I think so the switch might not help there.

Add the following chain near the top of the 'input' chain:

   input -j REJECT -p TCP -s 0/0 -d 0/0 137:139

This will prevent NetBios/Samba from crossing your firewall in either
direction, and do it silently.

--
Bill Hudson

 
 
 

Firewall: Flooded with DENY messages

Post by Bill Hudso » Sat, 20 Jan 2001 01:35:26






> > > Hi All,

> > > I'm running slackware 7.0 (kernel 2.2.13) and an ipchains firewall
> > > (ipchains 1.3.9). Except for some ports (httpd, ssh, Quake, etc.) all
> > > incoming traffic will be denied.
> > > My problem is that the firewall denies packages not intended for me,
> > > this causes the messages file to be flooded with denies unrelated to
> > > eventual attacks to my machine.
> > > See an excerpt of the messages file (the destination IP address, i.e.
> > > 131.155.226.127, is NOT my machine).

> > > Jan 17 20:34:38 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> > > 131.155.226.105:138 131.155.226.127:138 L=236 S=0x00 I=63277 F=0x0000
> > > T=128 (#45)
> > [swack]

> > The easiest thing is just to DENY and not log any packet not to your IP(s) or put
> > in a switch and that will get ride of alot of it too. the .127 is
> > broadcast or multicast I think so the switch might not help there.

> Add the following chain near the top of the 'input' chain:

>    input -j REJECT -p TCP -s 0/0 -d 0/0 137:139

oops.  You should also do a line just like the above with '-p UDP'

--
Bill Hudson

 
 
 

Firewall: Flooded with DENY messages

Post by Christian Bonann » Sat, 20 Jan 2001 23:15:26


http://www.veryComputer.com/#10

> Hi All,

> I'm running slackware 7.0 (kernel 2.2.13) and an ipchains firewall
> (ipchains 1.3.9). Except for some ports (httpd, ssh, Quake, etc.) all
> incoming traffic will be denied.
> My problem is that the firewall denies packages not intended for me,
> this causes the messages file to be flooded with denies unrelated to
> eventual attacks to my machine.
> See an excerpt of the messages file (the destination IP address, i.e.
> 131.155.226.127, is NOT my machine).

> Jan 17 20:34:38 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.105:138 131.155.226.127:138 L=236 S=0x00 I=63277 F=0x0000
> T=128 (#45)
> Jan 17 20:34:55 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.121:137 131.155.226.127:137 L=78 S=0x00 I=9376 F=0x0000
> T=128 (#45)
> Jan 17 20:34:55 *dyne kernel: Packet log: input DENY eth0 PROTO=2
> 131.155.226.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=12303 F=0x0000 T=1
> (#45)
> Jan 17 20:34:56 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.121:137 131.155.226.127:137 L=78 S=0x00 I=9377 F=0x0000
> T=128 (#45)
> Jan 17 20:34:56 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.121:137 131.155.226.127:137 L=78 S=0x00 I=9378 F=0x0000
> T=128 (#45)
> Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.115:138 131.155.226.127:138 L=245 S=0x00 I=869 F=0x0000
> T=128 (#45)
> Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.101:138 131.155.226.127:138 L=262 S=0x00 I=57870 F=0x0000
> T=128 (#45)
> Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.10:138 131.155.226.127:138 L=234 S=0x00 I=26128 F=0x0000
> T=128 (#45)
> Jan 17 20:35:08 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.105:138 131.155.226.127:138 L=239 S=0x00 I=64813 F=0x0000
> T=128 (#45)
> Jan 17 20:35:38 *dyne kernel: Packet log: input DENY eth0 PROTO=17
> 131.155.226.105:138 131.155.226.127:138 L=236 S=0x00 I=814 F=0x0000
> T=128 (#45)
> Jan 17 20:35:56 *dyne kernel: Packet log: input DENY eth0 PROTO=2
> 131.155.226.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=12413 F=0x0000 T=1
> (#45)

> Any Ideas,

> Thx.

 
 
 

1. arp message flood = firewall freezes up?

hello.

  I configured a FreeBSD 4.3 machine to be a firewall/natd machine.  I set
it up to run a "simple" firewall with an extra rule to allow DNS to get
through.

  Now, the problem is, our network (AT&T broadband cable modem) over the
last few days started being flooded by ARP messages -- literally one or two
a second all of the nature:

date/time arp who-has some-dns-name tell some-other-dns-name
date/time arp who-has 10.34.20.1 tell 10.32.25.17

  On the console and in the syslogs will be a tonne of "last message
repeated n times" messages, and after about six hours, the freebsd machine
will stop being able to make connections to the net (ssh, http, smtp, etc
all can't make connections).

  Rebooting solves the problem immediately.

  Setting the firewall to type "open" solves the problem, obviously.

  The questions:

  1. is this a known problem in older FreeBSD versions? (i.e. would 4.7 not
have this?)  Does anybody know what this is?
  2. can i tweak a rule to perhaps get around this?

  Thanks,
  mark.

2. Cannot run X-windows !

3. "IP fw-in deny" message in /var/log/messages

4. ipfw/natd

5. TCP/SYN flood, affecting proxy firewalls?

6. Problems getting 2.2.0 booting on multia

7. Flooding Network messages

8. Serial Port Question

9. SYN flood message

10. Help---- udplog: dgram to port error messages flooding me

11. ipv4: (2 messages suppressed. Flood?)

12. message flooding in every terminal

13. SYN flooding messages ?