Re: Could someone please explain this output?

To: jorel@austin.rr.com
Cc: debian-firewall@lists.debian.org
Subject: Re: Could someone please explain this output?
From: Michael Heldebrant <Heldebrant.Michael@mayo.edu>
Date: 16 Aug 2001 17:21:43 -0500
Message-id: <[🔎] 998000504.8867.37.camel@forum>
In-reply-to: <[🔎] Pine.LNX.4.21.0108161705200.3598-100000@trillian.megadodo.umb>
References: <[🔎] Pine.LNX.4.21.0108161705200.3598-100000@trillian.megadodo.umb>

On 16 Aug 2001 17:12:14 -0500, Jor-el wrote:
> Hi,
> 
> 	Here is the output from 'ipchains -L input -v' :
> 
> Chain input (policy DENY: 0 packets, 0 bytes):
>  pkts bytes target     prot opt    tosa tosx  ifname     mark
> outsize  source                destination           ports
>   380 34580 ACCEPT     all  ------ 0xFF 0x00  lo
> anywhere             anywhere              n/a

Anything on local interface - accept

>     0     0 DENY       all  ----l- 0xFF 0x00  !lo
> 127.0.0.0/8          anywhere

Anything coming pretending to be from localhost not on l0 is spoofed
from a network interface.  Log it (the l flag).
              n/a
> 10502 1034K ACCEPT     all  ------ 0xFF 0x00  eth1
> localnet/24          anywhere              n/a

Anything that is from the localnet going anywhere on the internal card
is ok.

>     0     0 DENY       all  ----l- 0xFF 0x00  eth0
> localnet/24          anywhere              n/a

Anything pretending to come from the internal net but comes in from the
external interface is spoofed. Log it.

> 15049 9223K ACCEPT     all  ------ 0xFF 0x00  eth0
> anywhere             cs9349-21.austin.rr.com  n/a
Anything from the world going to the external ip of this computer from
the external interface is ok.

>     0     0 ACCEPT     all  ------ 0xFF 0x00  eth0
> anywhere             255.255.255.255       n/a

Anyone broadcasting over the external net is ok.  Not sure what this is
doing here.  I wouldn't do this personally.

>     0     0 DENY       all  ----l- 0xFF 0x00  any
> anywhere             anywhere              n/a
Anything we didn't match above we should drop and log it.

> 
> 	This confirms Vineet's diagnosis. I cant help notice that the 'l'
> flag is set in the 'opt' field every time the target is DENY. Is this a
> coincidence? Where is the meaning of this output documented? I couldnt
> find it anywhere.
> 
> 	Also, I am not sure of the purpose of these rules - especially the
> ones with DENY. Why are they blocking what they are blocking?
> 
> Thanks,
> Jor-el
> 
> On Thu, 16 Aug 2001, Vineet Kumar wrote:
> 
> > 
> > > 
> > > 	How do I interpret this output? For example, the lines handling
> > > the source = localnet/24 - will they let a packet from outside pass in or
> > > be rejected? Why are there two lines? This configuration is the result of
> > > me doing a 'apt-get install ipmasq' - so there really hasnt been any
> > > customization by me.
> > > 
> > 
> > You'll get more meaningful output with 
> > 
> > ipchains -L -v
> > 
> > What I suspect is going on is that the rules say something like
> > localhost/8 -i ! lo -j DENY and localnet/24 -i eth0 -j ACCEPT and
> > localnet/24 -i ! et0 -j DENY. The -v flag will show you the interfaces
> > specified in the rules as well, so you can understand what's going on.
> > 
> > Cheers,

See above for hopefully !useless commentary.

--mike

Reply to:

References:
- Re: Could someone please explain this output?
  - From: Jor-el <jorel@trillian.megadodo.umb>

Prev by Date: Delivery Failure: Re: iptables + icq
Next by Date: Delivery Failure: Re: Could someone please explain this output?
Previous by thread: Re: Could someone please explain this output?
Next by thread: Re: Could someone please explain this output?
Index(es):
- Date
- Thread