[Dshield] Egress filtering
rick at jaray.net
Sat Mar 8 17:30:17 GMT 2003
If you are limited to only a few filters IMHO I'd start with
blocking ports 53, 113, 135-139.
For a gnu/free solution that's not too hard to implement check out:
http://www.famhost.com/support/pktfiltrer.zip and navigate
to this link: http://www.interhack.net/pubs/fwfaq/ for good info.
----- Original Message -----
From: "Daniel Gerald Kluge" <dkluge at acm.org>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Saturday, March 08, 2003 9:56 AM
Subject: Re: [Dshield] Egress filtering
> On Vendredi, mars 7, 2003, at 18:54 Europe/Zurich, Deb Hale wrote:
> >> You and I are in complete agreement. It's easy to do, doesn't have
> >> much
> >> impact, it should be done at every edge. I wish more providers did
> >> this.
> >> Do the little home routers do this (LinkSys, Dlink, et-all)?
> > ***** If the Linksys routers do this, I would be very interested in
> > HOW to do it.
> > I am running Linksys at home and at the office and want to do
> > everything I
> > can to make sure that I am not aiding and abedding this activity
> > *******
> I'm currently toying with the filtering of my Zyxel ADSL Router (some
> of the Netgear routers are OEM'd Zyxels), but I don't see that I'll be
> doing the full best practices, because
> a) The Rules won't allow it
> b) I only have 72 of them to toy with.
> So the question to the community at large would be: On an edge Node,
> what are the most important things to filter out?
> I'm currently just doing defense, i.e. dropping all incoming TCP/ICMP
> packets, more to come as the weekend goes along :-)
> To give some background on the Zyxel Filters, for those who are
> wondering if their pet-peeve packet can be dropped:
> You have 12 filter banks of 6 filters, each bank contains either
> Generic Filters or Protocol Filters. Each bank can be attached to any
> interface (LAN or WAN), either inbound or outbound.
> Protocol Filters are specified by:
> IP Protocol (match or not)
> Source IP (Address + mask)
> Target IP (Address + mask)
> Source Port (eq, ne lt, gt, all)
> Target Port (eq, ne, lt, gt, all)
> Syn set, or ignore syn
> You can forward, drop a packet, or chain rules if you want, logging can
> also be done (but requires a running syslogd somewhere).
> Generic Rules will compare a binary value (up to eight bytes) at a
> fixed offset in the packet, anded with a mask, so this can be used to
> get rid of special packets (Syn, Xmas, unwanted Options).
> My current plan is to drop everything incoming, and to do egress
> filtering against my (private) network addresses, so should NAT be
> turned off, nothing bad is being sent out.
> Other ideas, on what an edge router really should filter out before it
> reaches the ISP (which might or might not be egress filtering)?
> -daniel (UH AH OH Zyxels default to accept any SNMP packets with
> communities public/public/public, good that there is a default filter
> on incoming SNMP)
> P.S. see www.netgear.org for a good overview on the capabilities of the
> Zyxel/Netgear Routers. You can always download the User Guide if you
> want even more information.
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
More information about the list