So your realizing that a good firewall is catching a LOT of bad Internet traffic. That's a good thing but it's also filling up your logs to the point that you won't read them; that's bad. What to do?
What you need to figure out is what traffic you DON"T want to log, explicitly match those packets in the firewall, and NOT log the packets when you drop them.
For example, the TrinityOS firewall ruleset in section 10.7 (this would be a "strongest" ruleset in IPMASQ speak) gives some ideas: TrinityOS - Section 10.7
Things I recommend to filter:
All RFC1918 address space (TCP/IP address ranges: 10.x.y.z/8, 172.16-31.y.z/12, and 192.168.y.x/16). You should /never/ receive these packets from an Internet connection. If you do, they are most likely spoofed packets
Windows File and Print Sharing (Samba or CIFS): ports 137, 138, 139, and 445. Windows machines like to talk a lot though most computers don't care what they're saying.
Class-D Multicast addresses (if you don't use Multicast): 220.127.116.11/4
Class-E and F "future" addresses: 240.0.0.0/5 and 248.0.0.0/5
To a much lesser extent, you might want to filter other packets. I recommend that you verify that you are receiving these specific packet types before you filter them out.
RIP (the routing protocol): port 520
Some specific forms of ICMP packets - NOT all of them (that will break your machine and IPMASQ in general)
Finally, you'll probably find that some individual TCP/IP address out on the Internet always seem to attack your IP. So, in addition to filtering various PORTS like above, you might want to also filter by specific SOURCE IP address too. After all, it is *YOUR* firewall.
|( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM firewall errors?||Up||( MASQ Security ) - Can I configure IP MASQ to allow Internet users to directly contact internal MASQed servers?|
Hosting by: Hurra Communications Ltd.
Generated: 2007-01-26 17:58:18