[Dshield] Egress filtering

Daniel Gerald Kluge dkluge at acm.org
Sat Mar 8 15:56:24 GMT 2003

On Vendredi, mars 7, 2003, at 18:54 Europe/Zurich, Deb Hale wrote:
>> You and I are in complete agreement. It's easy to do, doesn't have 
>> much
>> impact, it should be done at every edge. I wish more providers did 
>> this.
>> Do the little home routers do this (LinkSys, Dlink, et-all)?
> 	*****  If the Linksys routers do this, I would be very interested in 
> HOW to do it.
> 		 I am running Linksys at home and at the office and want to do 
> everything I
> 		 can to make sure that I am not aiding and abedding this activity 
> *******

I'm currently toying with the filtering of my Zyxel ADSL Router (some 
of the Netgear routers are OEM'd Zyxels), but I don't see that I'll be 
doing the full best practices, because
a) The Rules won't allow it
b) I only have 72 of them to toy with.

So the question to the community at large would be: On an edge Node, 
what are the most important things to filter out?

I'm currently just doing defense, i.e. dropping all incoming TCP/ICMP 
packets, more to come as the weekend goes along :-)

To give some background on the Zyxel Filters, for those who are 
wondering if their pet-peeve packet can be dropped:

You have 12 filter banks of 6 filters, each bank contains either 
Generic Filters or Protocol Filters. Each bank can be attached to any 
interface (LAN or WAN), either inbound or outbound.

Protocol Filters are specified by:
IP Protocol (match or not)
Source IP (Address + mask)
Target IP (Address + mask)
Source Port (eq, ne lt, gt, all)
Target Port (eq, ne, lt, gt, all)
Syn set, or ignore syn

You can forward, drop a packet, or chain rules if you want, logging can 
also be done (but requires a running syslogd somewhere).

Generic Rules will compare a binary value (up to eight bytes) at a 
fixed offset in the packet, anded with a mask, so this can be used to 
get rid of special packets (Syn, Xmas, unwanted Options).

My current plan is to drop everything incoming, and to do egress 
filtering against my (private) network addresses, so should NAT be 
turned off, nothing bad is being sent out.

Other ideas, on what an edge router really should filter out before it 
reaches the ISP (which might or might not be egress filtering)?

-daniel (UH AH OH Zyxels default to accept any SNMP packets with 
communities public/public/public, good that there is a default filter 
on incoming SNMP)
P.S. see www.netgear.org for a good overview on the capabilities of the 
Zyxel/Netgear Routers. You can always download the User Guide if you 
want even more information.

More information about the list mailing list