summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Mark Wooding [Thu, 8 Apr 2010 19:18:30 +0000 (20:18 +0100)]
vampire.m4: Remove the magical DNS DDoS hack.
We're going to use fail2ban for this job (and others). So we don't need
logtrawl any more.
Mark Wooding [Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)]
vampire.m4: Log messages when rejecting DNS DDOS packets.
Mark Wooding [Thu, 4 Jun 2009 14:55:44 +0000 (15:55 +0100)]
vampire: Add special hook for DNS badness.
There's a DDOS attack which works by sending DNS servers bogus requests
with spoofed source addresses. The servers' error reports end up
bombarding the victim.
The `logtrawl' program maintains an ipset listing the known victim IP
addresses based on the DNS server's logs; here, we /drop/ matching
packets -- otherwise the ICMP fallout would do just as well as the DNS
errors at clobbering the victim. Fortunately this isn't very evil,
since DNS over UDP is unreliable anyway.
It may be that `logtrawl' grows up to do more of this stuff later.
Mark Wooding [Tue, 13 Jan 2009 18:11:39 +0000 (18:11 +0000)]
vampire: Add accounting rules for Tor on the OUTPUT chain.
This will tell me what I actually wanted to know.
Mark Wooding [Mon, 12 Jan 2009 21:40:20 +0000 (21:40 +0000)]
vampire: Move tor ports to a separate rule.
This way we can get separate accounting for tor traffic.
Mark Wooding [Mon, 12 Jan 2009 15:10:22 +0000 (15:10 +0000)]
vampire: Open up public ports for tor.
Mark Wooding [Wed, 7 Jan 2009 19:04:52 +0000 (19:04 +0000)]
local.mk: Add install rule.
Mark Wooding [Wed, 7 Jan 2009 19:04:36 +0000 (19:04 +0000)]
Makefile: Put default rule before local makefile.
Otherwise rules in local.mk become the default.
Mark Wooding [Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)]
bookends: Prevent packets with destination localhost.
Linux blocks these anyway, but it's good to be sure.
Mark Wooding [Wed, 7 Jan 2009 18:55:01 +0000 (18:55 +0000)]
functions: Don't prefix log messages with `new' any more.
This was done to distinguish messages from the old firewall script.
We don't need it any more.
Mark Wooding [Wed, 7 Jan 2009 18:54:22 +0000 (18:54 +0000)]
filter: Bogus file, unused.
Not sure how this one got left behind.
Mark Wooding [Wed, 10 Dec 2008 10:00:35 +0000 (10:00 +0000)]
Initial commit of fancy firewall infrastructure.