[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: directpc.com question... (deals with pf... )



That's why I'm blocking those Winblows ports...    I know what they are..
but it's just the pure number of full network scans attempted.
IP Addresses that I have, but not have allocated, I kill all traffic going
to them (which is funny to see who's mis-configured)  but it's just straight
down the line on those scans...
I'm not talking about their website IP Address...   your correct in that
they have a modem for upstream, and that dish for downstream.
If a packet with a source address that is not one of my IP Addresses or on
RFC1918 tries to leave my internet interface... it's killed...  I do that on
purpose as I don't want broadband users having their machines turned to
zombies, or their 12 year old kid finding a "cool" script.
Their site say's Earthlink... but they say their an Ecorp company or
something...
What happens if they are using RFC1918 addresses?  I've been seeing a LOT of
10 dot traffic trying to exit... and also hit my DNS servers.
If their using 10 dot addresses (which is stupid), I'm ok with allowing
it... IF I know all the places that it's suppose to goto.
It just pisses me off when you spend an hour on their tech support line, and
they say "We can't give you those addresses for security reasons"  I'm just
like.. ok.. my network.. I see all the traffic anyway...   After that, he
kept telling me that "No, we're not blocking anything"  me: "No, I need to
know your IP Address's Blocks.  They'll be something like a 1.2.3.4/20 or
something like that"   him:  "No, we're not blocking any ip addresses"
-----Original Message-----
From: owner-pf@benzedrine.cx [mailto:owner-pf@benzedrine.cx]On Behalf Of
jolan
Sent: Wednesday, December 18, 2002 5:48 PM
To: Shawn Mitchell
Cc: pf@benzedrine.cx
Subject: Re: directpc.com question... (deals with pf... )
On Wed, Dec 18, 2002 at 05:24:07PM -0600, Shawn Mitchell wrote:
> Anyone know what IP Addresses directpc.com uses?
>
> Apparently they use async routing... basicly spoofing ip addresses... and
pf
> is killing them.
hrm?  do you mean the people whose upstream is a modem, and downstream
is satellite?
can you be more specific about pf "killing them"?
> I'm not going to allow them unless I know what addresses, and where their
> going to.
you can cross reference the blocked ip's with information on
www.arin.net.
> I would just look at the logs..  but when your shoving about 70 mbit/sec
> through a box... you really can't see stuff  that fast...
dump it to a file.
> And what the piss is it with all these 445/137/139 scans???
welcome to the world of wormed windows hosts as your neighbors.
my isp filters 137/139, for the rest i do:
block in quick on $ext_if inet proto tcp from any to $ext_ip \
        port {  21 80 135 445 1433 12345 27374 31337 }
- jolan