220 lines
4.6 KiB
HTML
220 lines
4.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>( Log Reduction ) - My logs are filling up with packet hits due to the
|
|
new "stronger" rulesets. How can I fix this? </TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux IP Masquerade HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Frequently Asked Questions"
|
|
HREF="faq.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird
|
|
notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM
|
|
firewall errors?"
|
|
HREF="masq-logs.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="( MASQ Security ) - Can I configure IP MASQ to allow Internet users to
|
|
directly contact internal MASQed servers?"
|
|
HREF="masq-host-security.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux IP Masquerade HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="masq-logs.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 7. Frequently Asked Questions</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="masq-host-security.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="REDUCING-MASQ-LOGS"
|
|
></A
|
|
>7.21. ( Log Reduction ) - My logs are filling up with packet hits due to the
|
|
new "stronger" rulesets. How can I fix this?</H1
|
|
><P
|
|
>So your realizing that a good firewall is catching a LOT of bad Internet
|
|
traffic. That's a good thing but it's also filling up your logs to the point
|
|
that you won't read them; that's bad.
|
|
What to do?</P
|
|
><P
|
|
>What you need to figure out is what traffic you DON"T want to log, explicitly
|
|
match those packets in the firewall, and NOT log the packets when you drop
|
|
them.</P
|
|
><P
|
|
>For example, the TrinityOS firewall ruleset in section 10.7 (this would be a
|
|
"strongest" ruleset in IPMASQ speak) gives some ideas:
|
|
<A
|
|
HREF="http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-10.html"
|
|
TARGET="_top"
|
|
>TrinityOS - Section 10.7</A
|
|
></P
|
|
><P
|
|
>Things I recommend to filter:
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>All RFC1918 address space (TCP/IP address ranges: 10.x.y.z/8,
|
|
172.16-31.y.z/12, and 192.168.y.x/16). You should /never/ receive these
|
|
packets from an Internet connection. If you do, they are most likely spoofed
|
|
packets</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Windows File and Print Sharing (Samba or CIFS): ports 137, 138, 139,
|
|
and 445. Windows machines like to talk a lot though most computers don't care
|
|
what they're saying.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Class-D Multicast addresses (if you don't use Multicast): 224.0.0.0/4 </P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Class-E and F "future" addresses: 240.0.0.0/5 and 248.0.0.0/5</P
|
|
></LI
|
|
></UL
|
|
></P
|
|
><P
|
|
>To a much lesser extent, you might want to filter other packets. I recommend
|
|
that you verify that you are receiving these specific packet types before
|
|
you filter them out.
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>RIP (the routing protocol): port 520</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Some specific forms of ICMP packets - NOT all of them (that will
|
|
break your machine and IPMASQ in general)</P
|
|
></LI
|
|
></UL
|
|
></P
|
|
><P
|
|
>Finally, you'll probably find that some individual TCP/IP address out on the
|
|
Internet always seem to attack your IP. So, in addition to filtering various
|
|
PORTS like above, you might want to also filter by specific SOURCE IP address
|
|
too. After all, it is *YOUR* firewall.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="masq-logs.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="masq-host-security.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird
|
|
notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM
|
|
firewall errors?</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="faq.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>( MASQ Security ) - Can I configure IP MASQ to allow Internet users to
|
|
directly contact internal MASQed servers?</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |