[ previous ] [ next ] [ threads ]
 
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Blocking private networks
 Date:  Sun, 19 Dec 2004 05:15:16 +0100
Hallo Michael,

Michael Scheer schrieb am 18. December 2004:

>> He's just dropping it because it should never be seen on the internet,
>> and it's best practice to do so.

>Ah well, now I see, it goes in a line with the 224/4 and 240/5
>blocking...

At least my stupidity (needless static route) was good for something:
my config-file was helpful to others and might even help m0n0wall.

I previously had a Linux-PC as gateway/router/packet-filter to the
internet and invested much time into the iptables Scripts, studied
dozens of examples, tried to find out why people did what they did,
etc.

So the following might be useful: I commented everything and really do
believe, that someone competent might be able to pick up an idea or two
(please remember: this is a script for Linux)


# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
$SYSCTL net.ipv4.tcp_syncookies="1"

# more against syn floods: increase backlog size
# reduce retries (Default: 5)
$SYSCTL net.ipv4.tcp_max_syn_backlog="1024"
$SYSCTL net.ipv4.tcp_synack_retries="3"

# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent?  It's recommended for single-homed
# systems and routers on stub networks.  Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
$SYSCTL net.ipv4.conf.${INET_IFACE}.rp_filter="1"

# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address.  This prevents
# a number of smurfs and similar DoS nasty attacks.
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"

# This option can be used to accept or refuse source routed
# packets.  It is usually on by default, but is generally
# considered a security risk.  This option turns it off.
$SYSCTL net.ipv4.conf.all.accept_source_route="0"

# This option can disable ICMP redirects.  ICMP redirects
# are generally considered a security risk and shouldn't be
# needed by most systems
$SYSCTL net.ipv4.conf.all.accept_redirects="0"

# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
$SYSCTL net.ipv4.conf.all.secure_redirects="1"

# Enable bad error message protection
$SYSCTL net.ipv4.icmp_ignore_bogus_error_responses="1"

# Disable ECN (Explicit Congestion Network)
# sadly because of many broken routers
$SYSCTL net.ipv4.tcp_ecn="0"


This is just an extract, the whole script is over 900 lines and I
really put some efforts into it. Wasn't easy to replace with m0n0wall,
but I hope not all is lost and some of it might have use here.

Kind regards    Frederick