White Lists

Evgeniy evgeniy@riscom.net
Thu May 15 12:59:03 UTC 2003 

Hi, 
i have DCCM latest version (1.1.36), 
after 24 hour testing i see that dccm rejecting mailing list,
example securityfocus.com
in file whitecommon i have records

# BUGTRAQ
ok	substitute mail_host securityfocus.com
	substitute Sender: focus-linux@securityfocus.com
ok	substitute mail_host outgoing2.securityfocus.com
ok	substitute mail_host lists.securityfocus.com


example message:

VERSION: 3
DATE: 05/14/03 18:30:43 EEST
IP: ns.riscom.net ::ffff:195.138.96.90
HELO: ns.riscom.net
env_From: <focus-linux-return-1861-web=riscom.net@securityfocus.com>  
mail_host=securityfocus.com.
env_To: <ameoba32@[195.138.96.154]>  addr=ameoba32  dir=

Received: from outgoing2.securityfocus.com (outgoing2.securityfocus.com 
[205.206.231.26])
	by ns.riscom.net (8.12.9/8.12.9) with ESMTP id h4EFWOil002152
	for <web@riscom.net>; Wed, 14 May 2003 18:32:26 +0300 (EEST)
Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
	by outgoing2.securityfocus.com (Postfix) with QMQP
	id 0CCD48F342; Wed, 14 May 2003 09:03:06 -0600 (MDT)
Mailing-List: contact focus-linux-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <focus-linux.list-id.securityfocus.com>
List-Post: <mailto:focus-linux@securityfocus.com>
List-Help: <mailto:focus-linux-help@securityfocus.com>
List-Unsubscribe: <mailto:focus-linux-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:focus-linux-subscribe@securityfocus.com>
Delivered-To: mailing list focus-linux@securityfocus.com
Delivered-To: moderator for focus-linux@securityfocus.com
Received: (qmail 22027 invoked from network); 13 May 2003 03:37:46 -0000
From: Glynn Clements <glynn.clements@virgin.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16064.26997.958174.256022@cerise.nosuchdomain.co.uk>
Date: Tue, 13 May 2003 04:41:41 +0100
To: Sebastian Muniz <seba@mtss.dnsalias.org>
Cc: Bill Tihen <bill@tasis.ch>, focus-linux@securityfocus.com
Subject: Re: IPChains Question (compatibility mode on kernel 2.4.x)
In-Reply-To: <20030512211700.124775f5.seba@mtss.dnsalias.org>
References: <3E43EB34.80504@travelamericas.com>
	<61945.195.15.127.161.1052481045.squirrel@cgi.tasis.ch>
	<20030512211700.124775f5.seba@mtss.dnsalias.org>
X-Mailer: VM 7.07 under 21.4 (patch 12) "Portable Code" XEmacs Lucid


Sebastian Muniz wrote:

> Hi!
> You are missing the point.
>
> ddp     37      DDP             # Datagram Delivery Protocol
> Seems you are trying to block ddp, that is a protocol that runs
> _over_ tcp or udp

DDP is on the same layer as TCP, UDP, ICMP etc:

icmp	1	ICMP		# internet control message protocol
igmp	2	IGMP		# Internet Group Management
tcp	6	TCP		# transmission control protocol
udp	17	UDP		# user datagram protocol
ddp	37	DDP		# Datagram Delivery Protocol

> Firewall can decide on the port but examining
> the port source/address of tcp and udp.
> For instance if you want to deny or accept ddp you should block/accept
> tcp/udp arriving on port 37.

TCP/UDP port 37 is the "time" protocol. DDP is IP protocol 37.

-- 
Glynn Clements <glynn.clements@virgin.net>

### end of message body ########################

X-DCC-Etherboy-Metrics: setcom.riscom.net 1002; bulk Body=116 Fuz1=116
	Fuz2=116
                                                      checksum  server      
                       IP: 3e7e139e f6504a8c bc4e9b73 5d1440bc              
                 env_From: e9a921a6 386b9f30 0d8504c4 3566c63a              
                     From: ae31e18d a48ef900 4868ad3f 0fc3ed40              
               Message-ID: 21efb874 fe794d26 2809637d 96d69da6              
                 Received: 152f2eb9 fb30ae43 f936581b 028c7c01              
                     Body: 76c56ecd f51959fa c9ea1e8c d4486eda     115      
                     Fuz1: 4dc07bf3 100b36e8 a8f2698d f8b10bad     115      
                     Fuz2: a7ef1239 80f64288 98b01984 bf489482     115      

rejection message: 550 5.7.1 mail h4EFUht8006998 from ::ffff:195.138.96.90 
rejected by Etherboy DCC
result: reject








my config 

#! /bin/sh

# set parameters for DCC start and cron scripts

# from Rhyolite Software DCC 1.1.36-1.29 $Revision$
DCC_CONF_VERSION=3

# don't set DCC_HOMEDIR since if we got here, it must be set
DCC_LIBEXEC=/var/dcc/libexec
DCC_RUNDIR=/var/run/dcc

DCCUID=root

# SRVR_ID must be set to run dccd.  Do not set it if you do not
#   want to run the DCC server.  DCC server-IDS must be globally unique
#   in a network of cooperating DCC servers.
SRVR_ID=
BRAND=

# optionally set to something like "local5" or "local5.notice" for
#   dccd, dbclean, and dccm
DCC_INFO_LOG_FACILITY=local5
DCC_ERROR_LOG_FACILITY=local5


# used to start dccm
DCCM_ENABLE=on
#   a common value is
#   DCCM_ARGS="-SHELO -SX-Habeas-SWE-3 -Smail_host -SSender -SList-ID"
DCCM_ARGS="-a REJECT -t CMN,5,15"
DCCM_LOGDIR=log
DCCM_WHITECLNT=whiteclnt
DCCM_USERDIRS=userdirs
# set DCCM_LOG_AT to a number that determines "bulk mail" for your situation.
#   50 is a typical value.
# Leave DCCM_REJECT_AT blank until you are confident that most sourced of
#   solicited bulk mail have been white-listed.  Then set it to the number
#   that defines "bulk mail" for your site.  Note that this rejection
#   or "bulk" threshold does not affect the blacklisting effects of the
#   DCCM_WHITECLNT white list file.
# Add '-aIGNORE' to DCCM_ARGS to ignore the bulkiness of mail except to
#   add X-DCC headers.
DCCM_LOG_AT=200
DCCM_REJECT_AT=200
# override basic list of checksums controlling rejections or logging
DCCM_CKSUMS=
# additional checksums worthy of rejections or logging
DCCM_XTRA_CKSUMS=

# used to start dccd
DCCD_ENABLE=on
# A value for `dccd -t` computed from DCCM_REJECT_AT is assumed to set
#   default flooding threshold.
DCCD_ARGS=

# used to start dccifd
DCCIFD_ENABLE=on
#   a common value is
#   DCCIFD_ARGS="-SHELO -SX-Habeas-SWE-3 -Smail_host -SSender -SList-ID"
DCCIFD_ARGS=
DCCIFD_LOGDIR="$DCCM_LOGDIR"
DCCIFD_WHITECLNT="$DCCM_WHITECLNT"
DCCIFD_USERDIRS="$DCCM_USERDIRS"
DCCIFD_LOG_AT="$DCCM_LOG_AT"
DCCIFD_REJECT_AT="$DCCM_REJECT_AT"
# override basic list of checksums controlling rejections or logging
DCCIFD_CKSUMS="$DCCM_CKSUMS"
# additional checksums worthy of rejections or logging
DCCIFD_XTRA_CKSUMS="$DCCM_XTRA_CKSUMS"

# days to keep files in DCC log directories
DBCLEAN_LOGDAYS=14
# used to start dbclean, including -e and -E
DBCLEAN_ARGS=


# ensure that the log facilities include levels and that $DCC_LOGGER
#   has a default.
if test ! -z "$DCC_INFO_LOG_FACILITY"; then
    if expr "$DCC_INFO_LOG_FACILITY" : '.*\..*' >/dev/null; then
	:
    else
	DCC_INFO_LOG_FACILITY="$DCC_INFO_LOG_FACILITY.notice"
    fi
    DCC_LOG_ARGS="$DCC_LOG_ARGS -Linfo,$DCC_INFO_LOG_FACILITY"
fi
if test -z "$DCC_ERROR_LOG_FACILITY"; then
    # for $DCC_LOGGER
    DCC_ERROR_LOG_FACILITY=mail.err
else
    if expr "$DCC_ERROR_LOG_FACILITY" : '.*\..*' >/dev/null; then
	:
    else
	DCC_ERROR_LOG_FACILITY="$DCC_ERROR_LOG_FACILITY.err"
    fi
    DCC_LOG_ARGS="$DCC_LOG_ARGS -Lerror,$DCC_ERROR_LOG_FACILITY"
fi
DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} -t DCC"

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.