I have started adding certain ranges of "known bad neighborhoods" to ipfilter. I temporarily enabled logging of the first incoming packet that is dropped by each rule and am surprised by the vast number of dropped connection attempts.
We run our own nameservers, and most of the drops are on port 53 UDP. These connection attempts come in waves of up to 50 from the same address over a short period of time.
I'm wondering if I should change the order of rules... e.g. by moving up this one:
pass in quick proto udp from any to <thishost> port = 53 keep state
Current sequence of rules on the public facing interface is as follows:
1. Allow in specific connections from known hosts
2. Deny in everything that is known to be invalid or bad
3. Allow in what has not been blocked so far and tries to access a valid, existing service
4. Deny in anything else
5. Outbound rules
Blocked example (section #2):
xyz0 @0:76 b 203.162.4.nnn,61492 -> aaa.bbb.ccc.ddd,53 PR udp len 20 63 IN
I'm wondering if allowing access to the nameserver (only for domains we are authoritative for) will merely shift the problem down to the next rule section or if it would bring down the number of failed attempts.
Or, I can just stop logging - since I already know these are bad ranges :)
Any experiences out there?