screen and choke network config

[Dave Piscitello <dave () corecom com>]

I have just upgraded from a lame DSL bridged configuration to
a routed configuration.

I have an access router that can packet filter.

Behind this I have a public IP subnet on which I run between
4-6 firewalls and VPN appliances.

I'd like to process all syslog messages from the access router
and firewalls at a server behind one of the firewalls, and so would
open 514 inbound on the firewall (for a list of FWs), and block
514 inbound on the access router. This is done and is working
nicely.

I realized looking through my logs that I can save duplicate log
entries if I packet filter annoying inbound TCP/UDP/ICMP types
at the access router. Since all the firewalls will have a default
deny all inbound policy (except the one firewall that allows http),
I'd set the access router in an inverse manner
to "allow anything but stuff I don't want duplicate log entries for".

I wonder what beyond the following list you might add. These
are the ports I most frequently see in my last 3 months' logs...


23 telnet
69 tftp
79 finger
111 sunrpc
137, 138, 139 msft noiseBOIS
161, 162 snmp, trap
194 irc
512-514 remote exec, login, shell

I still want to see how my doorknob's being rattled, I just
want to minimize the number of times I see any individual "rattle".

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com
hhi.corecom.com/~yodave/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards