[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [cobalt-users] Portsentry/IPChains Log Entries
- Subject: Re[2]: [cobalt-users] Portsentry/IPChains Log Entries
- From: Brian Curtis <admin@xxxxxxxxxxx>
- Date: Mon Feb 5 05:31:01 2001
- Organization: Pomfret Computer Technologies, LLC
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>> Q: I've installed IPChains, Portsentry and Logcheck and have Portsentry
>> dropping into IPChains on scans. I'm trying to figure out how to have
>> Portsentry/IPChains ignore a certain IP range <the ignore files doen't
>> seem to work
>> It seems that another system that shares our network connection
>> keeps littering our logs with entries <from port 137/138>.. We've tried
>> everything possible to stop this logging as the logs easily reach 50 megs
<SNIP>
You could simply add another rule or two into your ipchains stack,
near the top (before any other rules that block access for the
particular offending host), that ignores certain connections w/o
logging any attempts.
$ ipchains -I input 1 -p tcp -s 192.168.0.1 --destination-port 137 -j DENY
(Modify and/or replicate to suit your needs. Explanation below**.)
Will insert the following as rule #1 into the 'input' chain:
target prot opt source destination ports
DENY tcp ------ 192.168.0.1 0.0.0.0/0 * -> 137
This will only block 192.168.0.1 from connecting to port 137 anywhere
on your box *without* logging any connection attempts.
**
-I input 1 : insert rule into chain 'input' at position #1
-p tcp : protocol this rule applies to (tcp assumed in this case)
-s 192.168.0.1 : source IP of connection to filter (offender)
--destination-port 137 : specific port to block connections to
-j DENY : what do with do with this connection? (DENY w/o response)
**
To turn on kernel logging, you'd add a "-l" to the end of your rule
command. Try the ipchains cookbook ($ man ipchains) for your own
half-baked solutions.
--
Best regards,
Brian Curtis