Dropping network "noise"

Dropping network "noise"

[Mikhail Zotov]

Hello everybody,

I have a Linux machine (with a static routable IP address)
connected to a windoops LAN.  As is known, there is certain
"noise" in windoops networks, which can be silently dropped
by a rule like this:

iptables -A INPUT -p udp --dport 135:139 -j DROP

I have found that this "noise" can also be effectively blocked
by the following rule:

iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP

I haven't noticed anything going wrong yet, still I'd like to
know: Does this rule have a (potential) drawback?  Can it break
anything in case I have NFS or obtain IP address via DHCP or
in any other situation?

A similar question goes for the case of a Linux router/gateway
protecting a LAN (with machines with routable IP addresses).
Can the following rules do any harm?

iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP
iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP

Thanks in advance!

--
Mikhail

Re: Dropping network "noise"

[Jose Maria Lopez Hernandez]

El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
> Hello everybody,
> 
> I have a Linux machine (with a static routable IP address)
> connected to a windoops LAN.  As is known, there is certain
> "noise" in windoops networks, which can be silently dropped
> by a rule like this:
> 
> iptables -A INPUT -p udp --dport 135:139 -j DROP

That's OK, but also DROP port 445 because there's also a great
amount of traffic in that port.

> I have found that this "noise" can also be effectively blocked
> by the following rule:
> 
> iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP

Yes, it's a rule to prevent spoofing. It's OK *if* and *only if*
the $IP.ADDRESS.OF.MY_BOX it's really the IP address of your
box, and the *only* IP address of your box (you can have more
than one for various reasons).

> I haven't noticed anything going wrong yet, still I'd like to
> know: Does this rule have a (potential) drawback?  Can it break
> anything in case I have NFS or obtain IP address via DHCP or
> in any other situation?

NFS doesn't have any problem, but if you receive your IP via
DHCP you must change the IP in the rule with the one received.
And also if you use Zeroconf you must have a rule to accept
the traffic for the Zeroconf IP.

> A similar question goes for the case of a Linux router/gateway
> protecting a LAN (with machines with routable IP addresses).
> Can the following rules do any harm?
> 
> iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP

If you are don't want to receive traffic your broadcast it's OK.

> iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP

And this it's another anti-spoofing rule. I'll tell you the same that
for the previous rule. It's OK if the $LAN.IP.ADDRESSES.RANGE it's OK.

> Thanks in advance!
> 
> --
> Mikhail

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Dropping network "noise"

[Georgi Alexandrov]

Jose Maria Lopez Hernandez wrote:

>El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
>  
>
>>Hello everybody,
>>
>>I have a Linux machine (with a static routable IP address)
>>connected to a windoops LAN.  As is known, there is certain
>>"noise" in windoops networks, which can be silently dropped
>>by a rule like this:
>>
>>iptables -A INPUT -p udp --dport 135:139 -j DROP
>>    
>>
>
>That's OK, but also DROP port 445 because there's also a great
>amount of traffic in that port.
>
>  
>
How exactly is that OK ? i guess you don't have anything listening on 
135-139/udp, right ?
So you won't "save" any traffic with a rule like that, that's how 
ethernet works.
The only point in a rule like that maybe is - if you are logging not 
matched packets at the end of the filter table/INPUT chain and don't 
want your logs flooded by that broadcast traffic.

>>I have found that this "noise" can also be effectively blocked
>>by the following rule:
>>
>>iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP
>>    
>>
>
>Yes, it's a rule to prevent spoofing. It's OK *if* and *only if*
>the $IP.ADDRESS.OF.MY_BOX it's really the IP address of your
>box, and the *only* IP address of your box (you can have more
>than one for various reasons).
>
>  
>
>>I haven't noticed anything going wrong yet, still I'd like to
>>know: Does this rule have a (potential) drawback?  Can it break
>>anything in case I have NFS or obtain IP address via DHCP or
>>in any other situation?
>>    
>>
>
>NFS doesn't have any problem, but if you receive your IP via
>DHCP you must change the IP in the rule with the one received.
>And also if you use Zeroconf you must have a rule to accept
>the traffic for the Zeroconf IP.
>
>  
>
>>A similar question goes for the case of a Linux router/gateway
>>protecting a LAN (with machines with routable IP addresses).
>>Can the following rules do any harm?
>>
>>iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP
>>    
>>
>
>If you are don't want to receive traffic your broadcast it's OK.
>  
>
same thing here ... you will receive that broadcast traffic no matter 
what. dropping it won't help.

>  
>
>>iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP
>>    
>>
>
>And this it's another anti-spoofing rule. I'll tell you the same that
>for the previous rule. It's OK if the $LAN.IP.ADDRESSES.RANGE it's OK.
>
>  
>
>>Thanks in advance!
>>
>>--
>>Mikhail
>>    
>>
>
>Regards.
>
>  
>
regards,
Georgi Alexandrov

Re: Dropping network "noise"

[Mikhail Zotov]

On Sunday 13 February 2005 16:09, Georgi Alexandrov wrote:
> Jose Maria Lopez Hernandez wrote:
> >El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
> >>I have a Linux machine (with a static routable IP address)
> >>connected to a windoops LAN.  As is known, there is certain
> >>"noise" in windoops networks, which can be silently dropped
> >>by a rule like this:
> >>
> >>iptables -A INPUT -p udp --dport 135:139 -j DROP
> >>
> >
> >That's OK, but also DROP port 445 because there's also a great
> >amount of traffic in that port.
> >
> How exactly is that OK ? 
> The only point in a rule like that maybe is - if you are logging not 
> matched packets at the end of the filter table/INPUT chain and don't 
> want your logs flooded by that broadcast traffic.

Yes, I just want to drop them silently without logging.
Otherwise get hundreds of "noisy" records every day.

Regards,
Mikhail

Re: Dropping network "noise"

[Mikhail Zotov]

On Sunday 13 February 2005 15:03, Jose Maria Lopez Hernandez wrote:
> El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
[snip]
> > Can the following rules do any harm?
> > 
> > iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP
> 
> If you are don't want to receive traffic your broadcast it's OK.
> 
> > iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP
> 
> And this it's another anti-spoofing rule. I'll tell you the same that
> for the previous rule. It's OK if the $LAN.IP.ADDRESSES.RANGE it's OK.

Thank you very much for the answer.
I'm really glad the rules don't break any network things
I am not aware about yet. :-)

Regards,
Mikhail

Re: Dropping network "noise"

[Jose Maria Lopez Hernandez]

El dom, 13-02-2005 a las 15:09 +0200, Georgi Alexandrov escribió:
> Jose Maria Lopez Hernandez wrote:
> 
> >El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
> >  
> >
> >>Hello everybody,
> >>
> >>I have a Linux machine (with a static routable IP address)
> >>connected to a windoops LAN.  As is known, there is certain
> >>"noise" in windoops networks, which can be silently dropped
> >>by a rule like this:
> >>
> >>iptables -A INPUT -p udp --dport 135:139 -j DROP
> >>    
> >>
> >
> >That's OK, but also DROP port 445 because there's also a great
> >amount of traffic in that port.
> >
> >  
> >
> How exactly is that OK ? i guess you don't have anything listening on 
> 135-139/udp, right ?

The OP *wanted* to DROP that ports, and their rules were OK. That's
all I said. And have in mind that even if you are not listening in
those ports you are responding RST-ACK packets if you don't DROP the
connections. I have to DROP the 445 packets from the Internet because
they cause my machine to send traffic I don't want to be sent.

> So you won't "save" any traffic with a rule like that, that's how 
> ethernet works.

You save the RST-ACK responses, if I'm not wrong.

> The only point in a rule like that maybe is - if you are logging not 
> matched packets at the end of the filter table/INPUT chain and don't 
> want your logs flooded by that broadcast traffic.

That's right. But if you want to DROP the Netbios packets also
there's nothing wrong with it.

> >If you are don't want to receive traffic your broadcast it's OK.
> >  
> >
> same thing here ... you will receive that broadcast traffic no matter 
> what. dropping it won't help.

Same reason that before. You receive the packets, but you don't
answer to them.

> regards,
> Georgi Alexandrov

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Dropping network "noise"

[R. DuFresne]

On Sun, 13 Feb 2005, Jose Maria Lopez Hernandez wrote:

> El dom, 13-02-2005 a las 15:09 +0200, Georgi Alexandrov escribió:
> > Jose Maria Lopez Hernandez wrote:
> > 
> > >El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
> > >  
> > >
> > >>Hello everybody,
> > >>
> > >>I have a Linux machine (with a static routable IP address)
> > >>connected to a windoops LAN.  As is known, there is certain
> > >>"noise" in windoops networks, which can be silently dropped
> > >>by a rule like this:
> > >>
> > >>iptables -A INPUT -p udp --dport 135:139 -j DROP
> > >>    
> > >>
> > >
> > >That's OK, but also DROP port 445 because there's also a great
> > >amount of traffic in that port.
> > >
> > >  
> > >
> > How exactly is that OK ? i guess you don't have anything listening on 
> > 135-139/udp, right ?
> 
> The OP *wanted* to DROP that ports, and their rules were OK. That's
> all I said. And have in mind that even if you are not listening in
> those ports you are responding RST-ACK packets if you don't DROP the
> connections. I have to DROP the 445 packets from the Internet because
> they cause my machine to send traffic I don't want to be sent.
> 
> > So you won't "save" any traffic with a rule like that, that's how 
> > ethernet works.
> 
> You save the RST-ACK responses, if I'm not wrong.
> 
> > The only point in a rule like that maybe is - if you are logging not 
> > matched packets at the end of the filter table/INPUT chain and don't 
> > want your logs flooded by that broadcast traffic.
> 
> That's right. But if you want to DROP the Netbios packets also
> there's nothing wrong with it.
> 
> > >If you are don't want to receive traffic your broadcast it's OK.
> > >  
> > >
> > same thing here ... you will receive that broadcast traffic no matter 
> > what. dropping it won't help.
> 
> Same reason that before. You receive the packets, but you don't
> answer to them.

Two of the rules could be replace with sysctl statements;

	#prevent spoofs

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

	# prevent being used in bradcast storms

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Or am I mistaken here?

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: Dropping network "noise"

[Jose Maria Lopez Hernandez]

El dom, 13-02-2005 a las 15:54 -0500, R. DuFresne escribió:
> On Sun, 13 Feb 2005, Jose Maria Lopez Hernandez wrote:
> 
> > El dom, 13-02-2005 a las 15:09 +0200, Georgi Alexandrov escribió:
> > > Jose Maria Lopez Hernandez wrote:
> > > 
> > > >El dom, 13-02-2005 a las 09:28 +0300, Mikhail Zotov escribió:
> > > >  
> > > >
> > > >>Hello everybody,
> > > >>
> > > >>I have a Linux machine (with a static routable IP address)
> > > >>connected to a windoops LAN.  As is known, there is certain
> > > >>"noise" in windoops networks, which can be silently dropped
> > > >>by a rule like this:
> > > >>
> > > >>iptables -A INPUT -p udp --dport 135:139 -j DROP
> > > >>    
> > > >>
> > > >
> > > >That's OK, but also DROP port 445 because there's also a great
> > > >amount of traffic in that port.
> > > >
> > > >  
> > > >
> > > How exactly is that OK ? i guess you don't have anything listening on 
> > > 135-139/udp, right ?
> > 
> > The OP *wanted* to DROP that ports, and their rules were OK. That's
> > all I said. And have in mind that even if you are not listening in
> > those ports you are responding RST-ACK packets if you don't DROP the
> > connections. I have to DROP the 445 packets from the Internet because
> > they cause my machine to send traffic I don't want to be sent.
> > 
> > > So you won't "save" any traffic with a rule like that, that's how 
> > > ethernet works.
> > 
> > You save the RST-ACK responses, if I'm not wrong.
> > 
> > > The only point in a rule like that maybe is - if you are logging not 
> > > matched packets at the end of the filter table/INPUT chain and don't 
> > > want your logs flooded by that broadcast traffic.
> > 
> > That's right. But if you want to DROP the Netbios packets also
> > there's nothing wrong with it.
> > 
> > > >If you are don't want to receive traffic your broadcast it's OK.
> > > >  
> > > >
> > > same thing here ... you will receive that broadcast traffic no matter 
> > > what. dropping it won't help.
> > 
> > Same reason that before. You receive the packets, but you don't
> > answer to them.
> 
> Two of the rules could be replace with sysctl statements;
> 
> 	#prevent spoofs
> 
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Sure it will work... if the traffic is spoofed. The OP was talking
about traffic from it's own LAN.

> 	# prevent being used in bradcast storms
> 
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

This only prevent ICMP broadcasts, if you want to stop UDP
broadcast traffic you need another rules.

> Or am I mistaken here?

I think so, but it's just my opinion.

> Thanks,
> 
> Ron DuFresne

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Dropping network "noise"

[Jason Opperisano]

On Sun, Feb 13, 2005 at 09:28:41AM +0300, Mikhail Zotov wrote:
> Hello everybody,
> 
> I have a Linux machine (with a static routable IP address)
> connected to a windoops LAN.  As is known, there is certain
> "noise" in windoops networks, which can be silently dropped
> by a rule like this:
> 
> iptables -A INPUT -p udp --dport 135:139 -j DROP
> 
> I have found that this "noise" can also be effectively blocked
> by the following rule:
> 
> iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP
> 
> I haven't noticed anything going wrong yet, still I'd like to
> know: Does this rule have a (potential) drawback?  Can it break
> anything in case I have NFS or obtain IP address via DHCP or
> in any other situation?
> 
> A similar question goes for the case of a Linux router/gateway
> protecting a LAN (with machines with routable IP addresses).
> Can the following rules do any harm?
> 
> iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP
> iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP

you can also use the pkttype match to drop broadcast/multicast traffic,
without having to calculate the broadcast address for every interface,
and having another rule for the all-ones broadcast:

  -m pkttype --pkt-type broadcast -j DROP
  -m pkttype --pkt-type multicast -j DROP

-j

--
"Boy, if you want anything in this life, you have to work for it. Now
 be quiet while I listen for these lottery numbers."
        --The Simpsons

Re: Dropping network "noise"

[Mikhail Zotov]

On Tuesday 15 February 2005 19:15, Jason Opperisano wrote:
> On Sun, Feb 13, 2005 at 09:28:41AM +0300, Mikhail Zotov wrote:
> > I have a Linux machine (with a static routable IP address)
> > connected to a windoops LAN.  As is known, there is certain
> > "noise" in windoops networks, which can be silently dropped
> > by a rule like this:
> > 
> > iptables -A INPUT -p udp --dport 135:139 -j DROP
> > 
> > I have found that this "noise" can also be effectively blocked
> > by the following rule:
> > 
> > iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP
[snip]
> you can also use the pkttype match to drop broadcast/multicast traffic,
> without having to calculate the broadcast address for every interface,
> and having another rule for the all-ones broadcast:
> 
>   -m pkttype --pkt-type broadcast -j DROP
>   -m pkttype --pkt-type multicast -j DROP
> 
> -j

Great.  Thanks a lot for the idea.  These rules call another question:
Are broadcast/multicast messages used in Linux/UNIX or other than
windoops networks?  If so, will not these rules break anything?
I haven't seen such rules in any iptables guides/scripts available in
the Internet.

Regards,
Mikhail

Re: Dropping network "noise"

[Jason Opperisano]

On Wed, 2005-02-16 at 02:34, Mikhail Zotov wrote:
> >   -m pkttype --pkt-type broadcast -j DROP
> >   -m pkttype --pkt-type multicast -j DROP
> > 
> > -j
> 
> Great.  Thanks a lot for the idea.  These rules call another question:
> Are broadcast/multicast messages used in Linux/UNIX or other than
> windoops networks?  If so, will not these rules break anything?
> I haven't seen such rules in any iptables guides/scripts available in
> the Internet.

i usually put rules like this at the end of chains; before the log rule,
as part of a "no_log" chain, to keep the noise out of the logs.  so if
you needed to allow certain broadcast or multicast traffic, you would do
it before these rules.  on a dedicated firewall machine, the only thing
i can think of would be if the machine is a DHCP server or client (or
both)--though the broadcast part of that conversation *should* be at the
BPF level and not require firewall rules.

-j

--
"Lisa, Vampires are make-believe, like elves, gremlins, and eskimos."
	--The Simpsons

Re: Dropping network "noise"

[Mikhail Zotov]

On Wednesday 16 February 2005 16:28, Jason Opperisano wrote:
> On Wed, 2005-02-16 at 02:34, Mikhail Zotov wrote:
> > >   -m pkttype --pkt-type broadcast -j DROP
> > >   -m pkttype --pkt-type multicast -j DROP
> > > 
> > > -j
> > 
> > Great.  Thanks a lot for the idea.  These rules call another question:
> > Are broadcast/multicast messages used in Linux/UNIX or other than
> > windoops networks?  If so, will not these rules break anything?
> > I haven't seen such rules in any iptables guides/scripts available in
> > the Internet.
> 
> i usually put rules like this at the end of chains; before the log rule,
> as part of a "no_log" chain, to keep the noise out of the logs.  so if
> you needed to allow certain broadcast or multicast traffic, you would do
> it before these rules.  on a dedicated firewall machine, the only thing
> i can think of would be if the machine is a DHCP server or client (or
> both)--though the broadcast part of that conversation *should* be at the
> BPF level and not require firewall rules.

I see.  I have these `noise-filtering' rules at the beginning of the script
(http://slackfire.narod.ru) because I am afraid to break something I am
not aware about yet. :-)  Another reason for having them at the beginning
is that there are at least a thousand of MS broadcasts every day in our
LAN.

Still, I see your point now and will study how these rules will work being
moved to the end of the script.  Thanks a lot for the explanation!

Regards,
Mikhail