[Dshield] Egress filtering

Rick Leske rick at jaray.net
Sat Mar 8 17:30:17 GMT 2003

If you are limited to only a few filters IMHO I'd start with
blocking ports 53, 113, 135-139.

For a gnu/free solution that's not too hard to implement check out:
http://www.famhost.com/support/pktfiltrer.zip and navigate 
to this link: http://www.interhack.net/pubs/fwfaq/ for good info.


----- Original Message ----- 
From: "Daniel Gerald Kluge" <dkluge at acm.org>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Saturday, March 08, 2003 9:56 AM
Subject: Re: [Dshield] Egress filtering

> On Vendredi, mars 7, 2003, at 18:54 Europe/Zurich, Deb Hale wrote:
> >
> >> You and I are in complete agreement. It's easy to do, doesn't have 
> >> much
> >> impact, it should be done at every edge. I wish more providers did 
> >> this.
> >> Do the little home routers do this (LinkSys, Dlink, et-all)?
> >
> > *****  If the Linksys routers do this, I would be very interested in 
> > HOW to do it.
> > I am running Linksys at home and at the office and want to do 
> > everything I
> > can to make sure that I am not aiding and abedding this activity 
> > *******
> >
> I'm currently toying with the filtering of my Zyxel ADSL Router (some 
> of the Netgear routers are OEM'd Zyxels), but I don't see that I'll be 
> doing the full best practices, because
> a) The Rules won't allow it
> b) I only have 72 of them to toy with.
> So the question to the community at large would be: On an edge Node, 
> what are the most important things to filter out?
> I'm currently just doing defense, i.e. dropping all incoming TCP/ICMP 
> packets, more to come as the weekend goes along :-)
> To give some background on the Zyxel Filters, for those who are 
> wondering if their pet-peeve packet can be dropped:
> You have 12 filter banks of 6 filters, each bank contains either 
> Generic Filters or Protocol Filters. Each bank can be attached to any 
> interface (LAN or WAN), either inbound or outbound.
> Protocol Filters are specified by:
> IP Protocol (match or not)
> Source IP (Address + mask)
> Target IP (Address + mask)
> Source Port (eq, ne lt, gt, all)
> Target Port (eq, ne, lt, gt, all)
> Syn set, or ignore syn
> You can forward, drop a packet, or chain rules if you want, logging can 
> also be done (but requires a running syslogd somewhere).
> Generic Rules will compare a binary value (up to eight bytes) at a 
> fixed offset in the packet, anded with a mask, so this can be used to 
> get rid of special packets (Syn, Xmas, unwanted Options).
> My current plan is to drop everything incoming, and to do egress 
> filtering against my (private) network addresses, so should NAT be 
> turned off, nothing bad is being sent out.
> Other ideas, on what an edge router really should filter out before it 
> reaches the ISP (which might or might not be egress filtering)?
> Cheers,
> -daniel (UH AH OH Zyxels default to accept any SNMP packets with 
> communities public/public/public, good that there is a default filter 
> on incoming SNMP)
> P.S. see www.netgear.org for a good overview on the capabilities of the 
> Zyxel/Netgear Routers. You can always download the User Guide if you 
> want even more information.

Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

More information about the list mailing list