Increasing anti-spoofing rules

Similar Messages

• How to create anti-spoof rules with exception

  Hello all,
  I'm a beginner with Ironport and I need to create rules for specific cases.
  I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.
  But I have some mail addresses with external applications that need to be send with my mail domains.
  For example, I receive acknowledge mails sent with [email protected] address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external [email protected] mail will be dropped.
  For example I tried this rule with no success :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
  drop();
  I tried this rule too :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^[email protected]$") OR (mail-from !="^[email protected]$") OR (mail-from !="@ack.mydomain.com$")){
  drop();
  Have you got any tips or advice to answer my funny case ?

  Hello,
  We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)
  Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
  insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
  The one drawback is that we need to maintain the Dictionary "dict_internaldomains". If we forget to add a new domain to this list it will never be detected as spam.
  A good new message filter functionality would be to be able to do a "mail-from-rat-match" which would allow you to use the RAT tables(s) as dictionary.
  We plan to solve this by moving the RAT to LDAP and query that same LDAP as dictionary. (If only I had time to test it) :D
  Good luck,
  Steven

• Anti-spoofing rule

  I am trying to create a antispoofing rule using message filter feature.
  It is like
  if ( header("from") == "@*mydomain\\.com$" ) { apply anti-spoofing rules here; }
  But the rough part is to be able to whitelist certain hosts, e.g., our partners.
  For example:
  AND ( header("Received") != "whitelist1|whitelist2...." )
  Is there a better way to do this? My concern is that this will get very long and error prone over time.
  Thanks,
  Jack

  What if you add all your partner ip addresses/domains to a sendergroup called 'partner_whitelist'.
  Next, you can modify your existing filter to bypass spoofing checks from partner domains:
  if (( header("from") == "@*mydomain\\.com$" ) AND (sendergroup != 'partner_whitelist'))
  { apply anti-spoofing rules here; }

• Deploy OpenStack GA release failed due to anti-affinity rule

  When I deploy the OpenStack GA release, following error popped up at the last step on the deployment wizard page.
  "Deploy OpenStack instance failed. Insufficient number of ESXi hosts to meet the anti-affinity rule"
  I have 3 ESXi hosts in management cluster and 1 host in compute cluster, which I used to deploy the beta version without any problem.
  Is there any workaround for this without adding more hosts?

  I have the same/similar error:
  "PlacementException: Cannot find datastore with enough space and meets the datastore anti-affinity rule for [VIO-Controller-0]. Nodes with the same role cannot be placed onto the same datastore."
  According to the oms.log [VIO-DB-0], [VIO-DB-1] and [VIO-DB-2] can be properly placed but the problem is always with [VIO-Controller-0]. Whatever I have done (more disc space, more ESXi servers, more datastores) - the problem did not disappear.
  Unfortunately I was not able to find any document which explains the requirements for datastore (anti) affinity - there is only 1 page in the documents which describe the storage requirements e.g. db server requires 80 GB (although actually [VIO-DB-0] could only be placed if the disc has 100GB).
  But no word on affinity rules or number of required datastores or datastore size.
  I am using a test environment with 3 to 5 nested ESXi v6.0 (!!) for the management cluster with a total of around 1.2 TB free disc space for the management cluster.
  To me it appears that there exists "somewhere" an undocumented affinity/anti-affinity rule for the placement of the management VMs, especially for [VIO-Controller-x].
  I would appreciate if someone could describe the disc/datastore configuration for a successful implementation of OpenStack GA release!
  I do attach an older oms.log with above error message (not sure which configuration I tested at that time, probably 3 ESXi with 3 or 4 datastores with 100GB disc space each per ESXi).

• Unable to deploy VIO OpenStack due to anti-affinity rule

  Hello,
  I am trying to deploy OpenStack through vSphere web client. The deployment fails due to an error "Deploy OpenStack instance failed. Insufficient number of ESXi hosts to meet the anit-affinity rule."
  I saw a previous post related to the same issue where it is mentioned that you need atleast 800GB of datastore space on the hosts combined in a cluster.
  I have 2 Hosts in Management cluster adding up to 1000GB and 2 Hosts in Computer Cluster about 800GB datastore space combined. I have one host in Edge Cluster with datastore space of 250GB.
  How much datastore space should each cluster comprise off to deploy OpenStack instances without failing? Are there any other credentials like CPU/Memory/Disk space that must be considered for the deployment?
  I would really appreciate any help.
  Thanks,
  Radhika

  Hi,
  I have followed the OpenStack Quick Start Guide and deployed hosts and enabled DRS, host monitoring  etc along with enabling vMotion and FT. I did deploy another ESXi host under Management cluster. Now, management cluster comprises of 3 Hosts with total 1080GB datastore space, Compute cluster with 2 hosts and about ~800GB datastore space and Edge cluster with 1 Host - 250GB datastore space.
  Now, while deploying the OpenStack, it fails due to "Cannot find datastore with enough space and meets datastore anti-affinity rule for [VIO-Controller 0]"
  Attached is the error message. Datastore has enough space, but I don't understand why I am getting this. How do I fix this?
  Thanks,
  Radhika

• Anti spoof acl and cisco 7606

  Hi all,
  I have strange problem with anti spoof access-list which I would like to set up in cisco 7606 with 7600-PFC3CXL. So I made an access-list which is in [1.] and set up on interface Te1/1 like this [2.], but there are no match in output direction? Why? Well I made a test with [3.] but no matchs in access-list and ICMP was working than I made change [4.] and yeap icmp was not working and I have seen match in input direction good. It looks like that output direction in acl not working so I removed line 1 inc acl [4.] and icmp still not working and acl [3.] started matching icmp in line 1? Why? Can anybody help me? Thanks.
  Karel
  btw.> I tried solve this problem with this links:
  http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html
  http://www.cisco.com/web/about/security/intelligence/acl-logging.html
  [1.]
  Extended IP access list anti_spoof_Te1/1_input
  10 deny ip 10.0.0.0 0.255.255.255 any
  20 deny ip 172.16.0.0 0.15.255.255 any
  30 deny ip 192.168.0.0 0.0.255.255 any
  40 deny ip 127.0.0.0 0.255.255.255 any
  50 deny ip 194.79.52.0 0.0.3.255 any
  60 deny ip 0.0.0.0 0.255.255.255 any
  70 permit ip any OUR CIDR
  80 permit ip any host BGP Neighbor
  90 deny ip any any
  Extended IP access list anti_spoof_Te1/1_output
  10 deny ip any 10.0.0.0 0.255.255.255
  20 deny ip any 172.16.0.0 0.15.255.255
  30 deny ip any 192.168.0.0 0.0.255.255
  40 deny ip any 127.0.0.0 0.255.255.255
  50 deny ip any 0.0.0.0 0.255.255.255
  60 deny ip any OUR CIDR
  70 permit ip host BGP Neighbor any
  80 permit ip OUR CIDR any
  90 deny ip any any
  [2.]
  ip access-group anti_spoof_Te1/1_input in
  ip access-group anti_spoof_Te1/1_output out
  [3.]
  Extended IP access list anti_spoof_Te1/1_output
  1 deny icmp host from OUR CIDR host in INTERNET log-input
  10 deny ip any 10.0.0.0 0.255.255.255
  20 deny ip any 172.16.0.0 0.15.255.255
  30 deny ip any 192.168.0.0 0.0.255.255
  40 deny ip any 127.0.0.0 0.255.255.255
  50 deny ip any 0.0.0.0 0.255.255.255
  60 deny ip any OUR CIDR
  70 permit ip host BGP Neighbor any
  80 permit ip OUR CIDR any
  90 deny ip any any log-input
  [4.]
  Extended IP access list anti_spoof_Te1/1_input
  1 deny icmp host from INTERNET host from OUR CIDR
  10 deny ip 10.0.0.0 0.255.255.255 any
  20 deny ip 172.16.0.0 0.15.255.255 any
  30 deny ip 192.168.0.0 0.0.255.255 any
  40 deny ip 127.0.0.0 0.255.255.255 any
  50 deny ip 194.79.52.0 0.0.3.255 any
  60 deny ip 0.0.0.0 0.255.255.255 any
  70 permit ip any OUR CIDR
  80 permit ip any host BGP Neighbor
  90 deny ip any any

  Following links may help you
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

• Anti Spoofing

  I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.
  I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.
  If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.

  Carlos,
  It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is 192.168.1.0/24 and a packet arrives on the outside of your firewall with a source address of 192.168.1.2, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.
  https://supportforums.cisco.com/docs/DOC-11874
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• Cisco 1921 - Anti Spoofing?

  Hello there.
  I have a customer who has a service from "sharedband" which basically bonds two adsl lines. The DSL lines terminate to two netgear routers that talk to each other using the sharedband service. The two netgears present a single ip address to the LAN, which i have placed a router in the way to provide firewall services.
  I have configured s2s VPN, CBAC, ACLs and locked down the router pretty well. But havent configured any sort of anti spoofing.
  The support guy from sharedband say i need to "turn off" anti spoofing on the Cisco router. But i HAVENT configured it and am not aware its on by default. As you can imagine, when both netgears are switched on, packets get lost and the service goes really slow. When only one router is operational, it works like a dream albeit slow due to the line speed.
  Is their anything on by default, or can i configure anything to allow 2 mac addresses to be accepted for the same IP address. Its not like HSRP where it provides a virtual MAC address. IP CEF is switched ON, its running IOS version 15.0.
  The folks at shareband pointed my in the direction of a document they provide that states how to switch anti spoofing off, but thats on a draytek which we arnt using.
  Here is that link http://support.sharedband.com/index.php?act=article&code=view&id=3.
  Anyone know how to do this in IOS?

  Hi,
  I found this post Googling after problems with 1921 on Sharedband.  opened TAC case - no luck so far.
  However adding secondary IP in subnet of Sharedband physical IPs enables 1921 to "see" all the Sharedband routers and improves performance - same result as Sharedband "20 milliseconds of resequencing" workround
  ip address 192.168.3.254 255.255.255.0 secondary
  1921-BRSA-2CAMB#sh ip arp g0/1
  Protocol  Address          Age (min)  Hardware Addr   Type   Interface
  Internet  91.108.165.74           -   588d.0978.3f21  ARPA   GigabitEthernet0/1
  Internet  192.168.3.254           -   588d.0978.3f21  ARPA   GigabitEthernet0/1
  Internet  91.108.165.73           0   e894.f667.eff8  ARPA   GigabitEthernet0/1
  Internet  192.168.3.4             0   e894.f6bb.b990  ARPA   GigabitEthernet0/1
  Internet  192.168.3.1           137   e894.f667.eff8  ARPA   GigabitEthernet0/1
  Internet  192.168.3.2            94   e894.f6bb.bc76  ARPA   GigabitEthernet0/1
  Internet  192.168.3.3           113   e894.f6bb.b8f8  ARPA   GigabitEthernet0/1

• GSS anti spoofing

  Hello.
  Anyone ever tried GSS DDOS license? I am worried about redirecting a DNS request over TCP. What if the D-proxy is a legitime one but is configured not to respond to tcp requests?  In this case I am going to block legitime requests (I know I can add trusted D-proxies to GSS)
  Anyone ever tried this feature?
  Best regards,
  Joao.

  I am afraid there may be toons of D-proxies not responding to tcp.
  Regards,
  Joao. 

• SPAM filter setting for CRES secure e-mail

  I am using Ironport strictly as an outgoing e-mail encryption engine. We use a different incoming spam filter (Barracuda). I would like to be able to go to the CRES site and send an encrypted message to our internal domain so users can establish their CRES credentials. However, the anti-spoofing rules on the Barracuda block the incoming mail because the domain it was from is our internal domain. I have whitelisted the mx-res.cisco.com address, 216.206.186.134, but I am still receiving block messages like below (I removed the actual e-mail address):
  Your message did not reach some or all of the intended recipients.
  Subject: Test 1
  Sent: 10/15/2009 7:36 AM
  The following recipient(s) cannot be reached:
  (removed) on 10/15/2009 7:36 AM
  The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
  mx1.res.cisco.com #5.0.0 smtp; 5.1.0 - Unknown address error 550-'Blocked\x00\x006' (delivery attempts: 0)
  First of all, are there other IP addresses I should be whitelisting for Cisco RES outbound e-mail mail servers? What else do I need to do? I don't want to turn of the anti-spoofing, due to the spam we would receive.

  With the recent CRES upgrade IP address range used for mail delivery has changed. Please refer the below posting.
  https://www.ironportnation.com/forums/viewtopic.php?t=1482
  Best,
  Kishore

• Source ip address for icmp messages not what is expected

  We have a router that has interfaces in multiple VRFs.  One interface sits on an interface that is routed on the Internet.  Other interface sits on a VRF that is in a private address space and is used for WAN connectivity.  The strange behavior that I'm seeing is related to icmp messages coming off the router.  It appears that scanners hitting the Internet-facing interface cause the router to generate icmp messages (type 3) that are source using the IP address of the WAN-facing interface and they are routed across the WAN, into our data center and dropped by our firewall due to anti-spoofing rules.  Is this normal behavior?  Doesn't seem normal to me. Is this behavior something that can be changed via configuration?

  probabaly some body attacking you
  you need inbound access-list in Internet-facing interface.
  and you need to filtr private source addresses classes  A, B, C 
  ip access-list extended InWorld
   deny   ip any 192.168.0.0 0.0.255.255
   deny   ip any 172.16.0.0 0.15.255.255
   deny   ip any 10.0.0.0 0.255.255.255
   permit ip any any
  interface FastEthernet0
   description Internet-facing interface
   ip address 9.2.3.6 255.255.255.252
   ip access-group InWorld in
  later you will see hit counts
  sh access-lis
  here is detailed explanation
  http://www.techrepublic.com/article/prevent-ip-spoofing-with-the-cisco-ios/
  they using more complicated acces-list
  In a typical IP address spoofing attempt, the attacker fakes the source of packets in order to appear as part of an internal network. David Davis tells you three ways you can make an attacker's life more difficult—and prevent IP address spoofing. 
  As you know, the Internet is rife with security threats, and one such threat is IP address spoofing. During a typical IP address spoofing attempt, the attacker simply fakes the source of packets in order to appear as part of an internal network. Let's discuss three ways you can protect your organization from this type of attack.
  Block IP addresses
  The first step in preventing spoofing is blocking IP addresses that pose a risk. While there can be a reason that an attacker might spoof any IP address, the most commonly spoofed IP addresses are private IP addresses (RFC 1918) and other types of shared/special IP addresses.
  Here's a list of IP addresses—and their subnet masks—that I would block from coming into my network from the Internet:
  10.0.0.0/8
  172.16.0.0/12
  192.168.0.0/16
  127.0.0.0/8
  224.0.0.0/3
  169.254.0.0/16
  All of the above are either private IP addresses that aren't routable on the Internet or used for other purposes and shouldn't be on the Internet at all. If traffic comes in with one of these IP addresses from the Internet, it must be fraudulent traffic.
  In addition, other commonly spoofed IP addresses are whatever internal IP addresses your organization uses. If you're using all private IP addresses, your range should already fall into those listed above. However, if you're using your own range of public IP addresses, you need to add them to the list.
  Implement ACLs
  The easiest way to prevent spoofing is using an ingress filter on all Internet traffic. The filter drops any traffic with a source falling into the range of one of the IP networks listed above. In other words, create an access control list (ACL) to drop all inbound traffic with a source IP in the ranges above.
  Here's a configuration example:
  Router# conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)# ip access-list ext ingress-antispoof
  Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
  Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any 
  Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any 
  Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
  Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any
  Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any     
  Router(config-ext-nacl)# permit ip any any     
  Router(config-ext-nacl)# exit
  Router(config)#int s0/0
  Router(config-if)#ip access-group ingress-antispoof in
  Internet service providers (ISPs) must use filtering like this on their networks, as defined in RFC 2267. Notice how this ACL includes permit ip any any at the end. In the "real world," you would probably have a stateful firewall inside this router that protects your internal LAN.
  Of course, you could take this to the extreme and filter all inbound traffic from other subnets in your internal network to make sure that someone isn't on one subnet and spoofing traffic to another network. You could also implement egress ACLs to prevent users on your network from spoofing IP addresses from other networks. Keep in mind that this should be just one part of your overall network security strategy.
  Use reverse path forwarding (ip verify)
  Another way to protect your network from IP address spoofing is reverse path forwarding (RPF)—or ip verify. In the Cisco IOS, the commands for reverse path forwarding begin with ip verify.
  RPF works much like part of an anti-spam solution. That part receives inbound e-mail messages, takes the source e-mail address, and performs a recipient lookup on the sending server to determine if the sender really exists on the server the message came from. If the sender doesn't exist, the server drops the e-mail message because there's no way to reply to the message—and it's very likely spam.
  RPF does something similar with packets. It takes the source IP address of a packet received from the Internet and looks up to see if the router has a route in its routing table to reply to that packet. If there's no route in the routing table for a response to return to the source IP, then someone likely spoofed the packet, and the router drops the packet.
  Here's how to configure RPF on your router:
  Router(config)# ip cef
  Router(config)# int serial0/0
  Router(config-if)# ip verify unicast reverse-path
  Note that this won't work on a multi-homed network.
  It's important to protect your private network from attackers on the Internet. These three methods can go a long way toward protecting against IP address spoofing. For more information on IP address spoofing, read "IP Address Spoofing: An Introduction."
  Is IP address spoofing a major concern for your organization? What steps have you taken to protect the company? Have you used RPF? Share your experiences in this article's discussion.
  and dont forget to rate post

• How do i block my number when i send a text on my iphone 4s

  how do i block my number when i send a text on my iphone 4s

  In the U.S. the FCC adopted anti spoofing rules applying to extend the "Truth in Caller ID" act. The specific recommendation from Congress read:
  Legislative recommendations include clarifying the scope of the Truth in Caller ID Act to include (1) persons outside the United States, (2) the use of IP-enabled voice services that are not covered under the Commission’s current definition of interconnected Voice over Internet Protocol (VoIP) service, (3) appropriate authority over third party spoofing services, and (4) SMS-based text messaging services
  It is illegal to falsify the originating number for SMS messages in the U.S. This was originally intended to target telemarketers and text message spammers. The end result, though, is that is is illegal to block your phone number when sending an SMS message. A number (or unique, tracable, identifier, in the case of some automated system) must be sent since the recipient is charged for receipt of the message.

• [SOLVED] iptables: bad argument "In_RULE_0"

  I'm creating my firewall rules on FirewallBuilder and I noticed it has an "anti spoofing rule" it creates as RULE_0. I'm copying the compiled rules and trying to create a rules file but that rule_0 is not being accepted.
  iptables -A INPUT -i enp0s7 -s $i_enp0s7 -j In_RULE_0
  iptables -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
  iptables -A In_RULE_0 -j DROP
  The output is
  Bad argument `In_RULE_0'
  Try `iptables -h' or 'iptables --help' for more information.
  The compiled version with all other commands:
  # ================ Table 'filter', rule set Policy
  # Rule 0 (enp0s7)
  echo "Rule 0 (enp0s7)"
  # anti spoofing rule
  $IPTABLES -N In_RULE_0
  for i_enp0s7 in $i_enp0s7_list
  do
  test -n "$i_enp0s7" && $IPTABLES -A INPUT -i enp0s7 -s $i_enp0s7 -j In_RULE_0
  done
  for i_enp0s7 in $i_enp0s7_list
  do
  test -n "$i_enp0s7" && $IPTABLES -A FORWARD -i enp0s7 -s $i_enp0s7 -j In_RULE_0
  done
  $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
  $IPTABLES -A In_RULE_0 -j DROP
  Some have suggested I put my IP address in there, but that would required extra work considering my IP changes many times a day.
  Last edited by Amarildo (2014-10-12 04:00:50)

  Solved. Instead of using
  -s $i_enp0s7
  use
  -s my-hostname
  so
  iptables -A INPUT -i enp0s7 -s junior -j In_RULE_0
  Last edited by Amarildo (2014-10-12 04:00:30)

• [RVS 4000] Setup secure ACL

  I want to make an ACL that will allow the minum traffic. For example only; HTTP, DNS, SSH, FTP, TeamSpeak, Torrents.
  This doesn't seem to be possible with the ACL on my Cisco Small Business RVS4000, I can only choose from predifined settings.
  I can't setup my own source and destination IP's and ports. So that isn't very useful.
  I might be wrong, so that's why I posted this threat. Is there a way to allow a mimimum traffic flow with the ACL?
  When I only allow HTTP, DNS, etc. and deny the rest I can't use my TeamSpeak, MSN and Torrents anymore.
  This is what I have now and which works, but isn't secure... Check the screenshot below. Below that is my iptables configuration, an ACL like that would be my idea of secure
  #!/bin/sh
  IPTABLES=/sbin/iptables
  MODPROBE=/sbin/modprobe
  INT_NET=192.168.1.32/28
  LO=127.0.0.0/8
  ###   Flush existing rules and set chain policy setting to DROP   ###
  echo "[+] Flushing existing iptables rules..."
  $IPTABLES -F
  $IPTABLES -F -t filter
  $IPTABLES -X
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
  $IPTABLES -P FORWARD DROP
  ###   KERNEL modifications   ###
  echo "[+] Setting up KERNEL modifications..."
  $MODPROBE ip_conntrack
  # Disable IP forwarding
  echo 0 > /proc/sys/net/ipv4/ip_forward
  # Enable IP spoofing protection
  for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
  # Protect against SYN flood attacks
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  ###   INPUT chain   ###
  echo "[+] Setting up INPUT chain..."
  ### State tracking rules
  $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
  $IPTABLES -A INPUT -m state --state INVALID -j DROP
  $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  ### ACCEPT rules for allowing connections in
  ### Loopback
  $IPTABLES -A INPUT -i lo -s $LO -d $LO -m state --state NEW -j ACCEPT
  # SSH
  $IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --set --name SSH
  $IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP
  $IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
  ### Anti-spoofing rules
  $IPTABLES -A INPUT -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET "
  $IPTABLES -A INPUT -d $INT_NET -j DROP
  ### Default INPUT LOG rule
  $IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
  ###   OUTPUT chain   ###
  echo "[+] Setting up OUTPUT chain..."
  ### State tracking rules
  $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
  $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  ### ACCEPT rules for allowing connections out
  # Loopback
  $IPTABLES -A OUTPUT -o lo -s $LO -d $LO -m state --state NEW -j ACCEPT
  # SSH
  $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
  # Whois
  $IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
  # DNS
  $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
  # HTTP
  $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
  # NTP
  $IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
  # HTTPS
  $IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
  # MSN
  $IPTABLES -A OUTPUT -p tcp --dport 1863 --syn -m state --state NEW -j ACCEPT
  # RWhois
  $IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
  # Google Talk
  $IPTABLES -A OUTPUT -p tcp --dport 5222 --syn -m state --state NEW -j ACCEPT
  # KTorrent
  $IPTABLES -A OUTPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
  $IPTABLES -A OUTPUT -p udp --dport 6881 -m state --state NEW -j ACCEPT
  $IPTABLES -A OUTPUT -p tcp --dport 4444 --syn -m state --state NEW -j ACCEPT
  $IPTABLES -A OUTPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT
  # IRC
  #$IPTABLES -A OUTPUT -p tcp --dport 6667 -m state --state NEW -j ACCEPT
  # Teamspeak Voice
  $IPTABLES -A OUTPUT -p udp --dport 9987 -m state --state NEW -j ACCEPT
  # Teamspeak Serverquery
  $IPTABLES -A OUTPUT -p tcp --dport 10011 --syn -m state --state NEW -j ACCEPT
  # Teamspeak Update Server
  #$IPTABLES -A OUTPUT -p udp --dport 17384 -m state --state NEW -j ACCEPT
  # Teamspeak Filetransfer
  $IPTABLES -A OUTPUT -p tcp --dport 30033 --syn -m state --state NEW -j ACCEPT
  # Ping
  $IPTABLES -A OUTPUT -s $INT_NET -p icmp --icmp-type echo-request -j ACCEPT
  ### Default OUTPUT LOG rule
  $IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
  ###   FORWARD chain   ###
  echo "[+] Setting up FORWARD chain..."
  ### State tracking rules
  $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
  $IPTABLES -A FORWARD -m state --state INVALID -j DROP
  $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  ### Anti-spoofing rules
  $IPTABLES -A FORWARD -d $INT_NET -j LOG --log-prefix "SPOOFED PACKET "
  $IPTABLES -A FORWARD -d $INT_NET -j DROP
  ### Default FORWARD LOG rule
  $IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

  I explored that feature, but it doesn't feel like it's related to the rules I apply. For example I have these 3 rules now, when I go into that manager and I will define a port for SSH for example then that port is also in the manager for 'deny all'. So what's the clue? Do I have to give the ACL and the port definition the same name and then only those two are related to eachother? Because at this point the two menu's don't feel related.
  PS: Thanks rshao

• Problem in mapping Task payload parameters to Oracle Business Rules facts

  Hi all,
  We are using complex types from our project XSDs inside the Human Task payload. We intend to use these Human Task payload parameters to build routing rules using the Oracle Business Rules interface. Our observation is that when the complexity of these complex types increase, the business rules editor does not show these as facts that can be used in formulating rules.
  Has anybody faced such a problem before. Any help is appreciated.
  We are using the following link to add routing rules –
  http://docs.oracle.com/cd/E25054_01/dev.1111/e10224/bp_decision.htm
  Version details :
  ADF Business Components     11.1.1.60.13
  Java(TM) Platform     1.6.0_29
  Oracle IDE     11.1.1.5.37.60.13
  SOA Composite Editor     11.1.1.5.0.01.74
  Thanks,
  Yamini.

  Problem solved. There was an element in the xml schema that had nillable = true. Because of this the XML Fact for that element would no longer be available in the BPEL Process. Removing the nillable and generating the XML Facts again solved the missing variable problem.