Re: ipmasq packet logs
On Wed, Oct 18, 2000 at 10:22:00PM -0400, kiss the sun and walk on air wrote:
> I'm getting a ton of multicast-related deny's in my syslogs from the
> ipmasq rules package, here's a sample:
>
> Oct 18 22:19:47 meatloaf kernel: Packet log: input DENY eth0 PROTO=89 24.129.71.254:65535 224.0.0.5:65535 L=64 S=0xC0 I=24259 F=0x0000 T=1 (#8)
> Oct 18 22:19:49 meatloaf kernel: Packet log: input DENY eth0 PROTO=1 24.129.69.30:10 224.0.0.2:0 L=28 S=0x00 I=6400 F=0x0000 T=128 (#8)
> Oct 18 22:19:57 meatloaf kernel: Packet log: input DENY eth0 PROTO=89 24.129.71.254:65535 224.0.0.5:65535 L=64 S=0xC0 I=24456 F=0x0000 T=1 (#8)
> Oct 18 22:20:07 meatloaf kernel: Packet log: input DENY eth0 PROTO=89 24.129.71.254:65535 224.0.0.5:65535 L=64 S=0xC0 I=24660 F=0x0000 T=1 (#8)
>
> I tried adding
> $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d 224.0.0.0/240.0.0.0 -p ! tcp
>
> to the I30internal.rul set, but that has no affect. I'm really not
> sure what i have to do to block these, any help would be
> appreciated. Thanks.
looks like the only place designed to tweak the multicast
stuff is O30internal.* --
# grep 224 *
O30internal.def: $IPFWADM -O -a accept -W $i -D 224.0.0.0/240.0.0.0 -P udp
O30internal.def: $IPFWADM -O -a accept -W $i -D 224.0.0.0/240.0.0.0 -P icmp
O30internal.def: $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -d 224.0.0.0/240.0.0.0 -p ! tcp
hmm.
my thots--
the ZZZ* rules file is where all the 'if-it-falls-through-then-
log-the-sucker' rules are.
there are some others, too, but those are mostly for spoofing
attacks. try 'ipchains -nL' and look for '----l-' under the
'options' heading. these are the rules that add to your
logfile output.
you might insert some 'accept' or 'deny' or 'reject' rules
of your own in a Z99runSilentRunDeep.rul file or some such,
to catch them before the fall-through 'log this' rule takes
action.
--
self-reference, n: see self-reference.
will@serensoft.com *** http://www.dontUthink.com/
Reply to: