[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])
superc at visuallink.com
Sun Aug 27 18:19:46 GMT 2006
This may work. I have saved it and will try it later. Thanks.
Re: [Dshield] Idea for dealing with ISPs that ignore abusenotificatons
was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS
Valdis.Kletnieks at vt.edu
Sat, 26 Aug 2006 12:23:43 -0400
General DShield Discussion List <list at lists.dshield.org>
On Sat, 26 Aug 2006 10:28:30 EDT, Kenneth Coney said:
> input had to be checked for a block. A different approach I would like
> to see some one market as a firewall for stand alone computers is as
> follows. There are a total of 9 ISPs containing maybe a total of 12
> IPNs which I actually need to maintain communication with business
[0:0] -A tcp-in -m state --state ESTABLISHED,RELATED -j ACCEPT
[0:0] -A tcp-in -p tcp -s 22.214.171.124/16 -j ACCEPT
[0:0] -A tcp-in -p tcp -s 126.96.36.199/16 -j ACCEPT
# Add your other 7 -J accept rules here.
[0:0] -A tcp-in -j DROP
Done. Pay careful attention to that first rule - that means "if *we*
go to visit *them*, their return packets are OK" - this lets you say
"Oh, I want to check www.cnn.com real quick" without having to whitelist them.
This is an iptables example, but I think all the current decent host firewalls
can be set up similarly (inability to do so, in fact, should be considered a
fatal flaw these days).
This is the opposite of Marcus's "Enumerate Badness", and how things *should*
be done if it's easy to enumerate the sites you should be hearing from.
> > Would it violate RFCs, probably, but when was the last time someone
> > asked for our signature of approval on one of those?
If you're worried about RFC compliance, do this instead:
[0:0] -A tcp-in -p tcp --syn -j REJECT --reject-with tcp-reset
[0:0] -A udp-in -p udp -j REJECT --reject-with icmp-port-unreachable
But a lot of security experts (myself included) think that being totally
silent in response to undesired traffic outweighs strict RFC compliance.
Remember - the RFCs are written so that two consenting hosts can communicate.
If one isn't consenting, the RFC's don't apply. But be nice and don't send
back non-RFC-compliant traffic that gives other machines indigestion. :)
More information about the list