[StartingOver]

Gregory D Hough mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Fri Feb 13 14:06:34 UTC 2004 

Greetings tlug,

Although I have four years of Linux under my belt, the more I learn the  
less I know. My Lin/Win network fell apart, rather I TOOK it apart. I  
saw things I didn't understand and felt it best to start over from  
scratch.

I wish to begin rebuilding from the firewall. One thing I noticed right  
from the get-go is the way a default firewall is handling certain  
connection requests. Most notably is the way Shorewall on Mandrake  
(out-of-the-box) treats ICMP (8) and port 135. Pings are dropped which  
is a good thing, but SYN packets to 135 go to a reject chain and are  
ultimately sent a ZeroWindow RST ACK. I thought this port was akin to a  
Windows specific vulnerability with DCOM services. Why would a Linux  
firewall be treating it diffently in not just dropping it altogether?

Secondly, call me a geek, but I get more enjoyment watching tcpdump  
than network TV and this just came in:

65.203.175.213:666 > 66.203.175.213:1026 in the form of a Messenger  
NetrSendMessage request DCE RPC trying to tell me how to disable pop- 
ups and to go to www dot messagestop dot net. I'm not concerned with  
this traffic on this machine, but as I rebuild the network I've had to  
give the kids a WinNT box to run that cludge called MSN Messenger. And  
although I've done my best to DCOMbobulate that machine, I'd feel a  
whole lot better putting it back behind a real firewall ASAP. This  
particular set of packets is brand new to me, and the remarkable  
similarity to my current IP address is disturbing. I believe it is no  
coincidence and wish to bring the new network back up prepared for  
such.

Perhaps if someone could briefly explain the 135 RST ACK (RFC  
reference?) and the IP address similarity in part II, I can better  
prepare the new firewall for the network.

Stacked Heaps Of Thanks,
farmer6re9
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list