[StartingOver]
Gregory D Hough
mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Fri Feb 13 14:06:34 UTC 2004
Greetings tlug,
Although I have four years of Linux under my belt, the more I learn the
less I know. My Lin/Win network fell apart, rather I TOOK it apart. I
saw things I didn't understand and felt it best to start over from
scratch.
I wish to begin rebuilding from the firewall. One thing I noticed right
from the get-go is the way a default firewall is handling certain
connection requests. Most notably is the way Shorewall on Mandrake
(out-of-the-box) treats ICMP (8) and port 135. Pings are dropped which
is a good thing, but SYN packets to 135 go to a reject chain and are
ultimately sent a ZeroWindow RST ACK. I thought this port was akin to a
Windows specific vulnerability with DCOM services. Why would a Linux
firewall be treating it diffently in not just dropping it altogether?
Secondly, call me a geek, but I get more enjoyment watching tcpdump
than network TV and this just came in:
65.203.175.213:666 > 66.203.175.213:1026 in the form of a Messenger
NetrSendMessage request DCE RPC trying to tell me how to disable pop-
ups and to go to www dot messagestop dot net. I'm not concerned with
this traffic on this machine, but as I rebuild the network I've had to
give the kids a WinNT box to run that cludge called MSN Messenger. And
although I've done my best to DCOMbobulate that machine, I'd feel a
whole lot better putting it back behind a real firewall ASAP. This
particular set of packets is brand new to me, and the remarkable
similarity to my current IP address is disturbing. I believe it is no
coincidence and wish to bring the new network back up prepared for
such.
Perhaps if someone could briefly explain the 135 RST ACK (RFC
reference?) and the IP address similarity in part II, I can better
prepare the new firewall for the network.
Stacked Heaps Of Thanks,
farmer6re9
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list