Adrian Mak
2004-Nov-01 13:32 UTC
does shorewall support more advance features of netfilter ?
e.g. string-matching CodeRed or Nimda viruses before they hit your Web server. The following rules achieve this: # DROP HTTP packets related to CodeRed and Nimda # viruses silently iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string "/default.ida?" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string ".exe?/c+dir" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string ".exe?/c+tftp" -j DROP iptables can detect and block inbound port scans with the following rule: # DROP inbound port scans iptables -t nat -A PREROUTING -i $EXT_IFACE \ -d $IP -m psd -j DROPLOG use iptables to limit new inbound TCP packets to prevent a Denial of Service attack. This is accomplished with the following rules: # Create syn-flood chain for detecting # Denial of Service attacks iptables -t nat -N syn-flood # Limit 12 connections per second (burst to 24) iptables -t nat -A syn-flood -m limit --limit 12/s \ --limit-burst 24 -j RETURN iptables -t nat -A syn-flood -j DROPLOG # Check for DoS attack iptables -t nat -A PREROUTING -i $EXT_IFACE \ -d $IP -p tcp --syn -j syn-flood use netfilter iplimit patch, iptables can limit the number of connections received from a particular IP address with the following rule: # DROP packets from hosts with more than 16 # active connections iptables -t nat -A PREROUTING -i $EXT_IFACE -p tcp \ --syn -d $IP -m iplimit --iplimit-above 16 \ -j DROPLOG
Tom Eastep
2004-Nov-01 15:39 UTC
Re: does shorewall support more advance features of netfilter ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adrian Mak wrote:> e.g. > string-matching >Most of those features are not "advanced" but rather are "Patch-o-matic-ng" features. You can use them via Shorewall extension scripts (see http://shorewall.net/shorewall_extension_scripts.htm) but see my general policy regarding Patch-o-matic[-ng] at http://shorewall.net/Shorewall_Doesnt.html). The ''limit'' match *is* supported in Shorewall -- see the BURST/LIMIT column in several of the Shorewall configuration files (including the rules and policy files). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBhliTO/MAbZfjDLIRAiVkAJ946PauS+Ke2REC50uJ4TFyJEmk8wCfRQ7i 9W2DM1QVirti7hPhjcTjZQ4=uQM3 -----END PGP SIGNATURE-----
Tom Eastep
2004-Nov-01 15:46 UTC
Re: does shorewall support more advance features of netfilter ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Adrian Mak wrote: | |>>e.g. |>>string-matching |>> | | | Most of those features are not "advanced" but rather are | "Patch-o-matic-ng" features. You can use them via Shorewall extension | scripts (see http://shorewall.net/shorewall_extension_scripts.htm) but | see my general policy regarding Patch-o-matic[-ng] at | http://shorewall.net/Shorewall_Doesnt.html). | | The ''limit'' match *is* supported in Shorewall -- see the BURST/LIMIT | column in several of the Shorewall configuration files (including the | rules and policy files). | I should also add that the ''string'' match extension is generally accepted to be a bad idea. It has a high CPU cost (must scan the payload of every TCP packet that the rule is applied to), isn''t reliable (the strings that you are searching for may be split over two packets), and when it finds a match it leaves the TCP connection in a broken state, thus making it succeptable to DOS attack. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBhlpxO/MAbZfjDLIRAhw4AKCUfnOQHQjkwQ75wRy4B4B4XjqukACghPFf HDBOBrXyzhdXcrevChyqt4I=F9a7 -----END PGP SIGNATURE-----