another quick question

another quick question

[Askar]

hi again
My second question of the day is pls first check these few rules from
our firewall scirpt

iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP

aren't there are unnecessary repitions ? port that is Dropped in
FOWARD chain is again Dropped in PREROUTING chain, and also why he (my
predecssor) droping such port in INPUT table ? aren't it unnecessary,
coz it a linux box no port 135:140 are open on our fw machine.

Today I just deletes are PREROUTING rules and now im getting counts
for packets drops on FOWARD table.

regards
askar


-- 
(after bouncing head on desk for days trying to get mine working, I'll make
yer life a little easier)

Re: another quick question

[George Alexandru Dragoi]

It is strongly related to the other question, same RPC/DCOM problems.


On Mon, 20 Sep 2004 14:02:57 +0600, Askar <askarali@gmail.com> wrote:
> hi again
> My second question of the day is pls first check these few rules from
> our firewall scirpt
> 
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> 
> aren't there are unnecessary repitions ? port that is Dropped in
> FOWARD chain is again Dropped in PREROUTING chain, and also why he (my
> predecssor) droping such port in INPUT table ? aren't it unnecessary,
> coz it a linux box no port 135:140 are open on our fw machine.
> 
> Today I just deletes are PREROUTING rules and now im getting counts
> for packets drops on FOWARD table.
> 
> regards
> askar
> 
> --
> (after bouncing head on desk for days trying to get mine working, I'll make
> yer life a little easier)
> 
> 



-- 
Bla bla

Re: another quick question

[Chris Brenton]

On Mon, 2004-09-20 at 04:02, Askar wrote:
>
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> 
> aren't there are unnecessary repitions ?

Agreed. The "proper" place for filtering rules is the INPUT and/or
FORWARD chain. You should be able to delete the two PREROUTING rules
without a problem.

> also why he (my
> predecssor) droping such port in INPUT table ? aren't it unnecessary,
> coz it a linux box no port 135:140 are open on our fw machine.

Unless you run SAMBA. ;-)

My guess is it was done to keep the traffic from hitting a later logging
rule, but its hard to say without seeing the entire rule base. It could
also have something to do with the "permit what has not been denied"
policy you mentioned in your last e-mail. Either way, it should not hurt
anything and its a good idea to block outbound NetBIOS/IP if your
organization does not need it to do business. Attackers can use it to
transfer a rootkit onto the system. If the ports are blocked, their
lives become just a little bit harder.

HTH,
Chris