Solved

Why not log message for upd protocal rule?

Posted on 2008-10-06
7
475 Views
Last Modified: 2013-12-27
I have created an IPFilter rule file. Most rules are TCP protocal based while few are for UDP. For instnce,

block return-rst in log quick proto tcp from any to any port = 1521
blcok return-rst in log quick proto udp from any to any port = 1812

The log file is configured as /var/log/ipflog through /etc/syslog.conf file.

I am using freeware IPPx to send packets to my test machine. The IPPx GUI tool can send both TCP and UPD packets. However, I can see the log message for matched TCP ports, but NOT for UDP ports. So I can not verify whether the IPFilter has filtered out traffic to that UDP. Do you know why?

Thanks!
0
Comment
Question by:gs_kanata
  • 4
  • 2
7 Comments
 
LVL 13

Accepted Solution

by:
Rowley earned 334 total points
Comment Utility
Can you confirm that the udp traffic is reaching your server?
Are there any devices between your port scanner and destination host?
0
 

Author Comment

by:gs_kanata
Comment Utility
I can only confirm that TCP traffic is reaching to my test server, as they are seen in the IPFilter log file. As for the UDP traffic, it comes from the same testing tool, IPPx, with just different attribute selection. This implies that the topology of the network between the IPPx and the test sever is the same. The IPPx is installed my home labtop which access the company network via VPN. Why can NOT the UDP traffic reach the server? I am confused here.

0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 334 total points
Comment Utility
"This implies that the topology of the network between the IPPx and the test sever is the same"

Yes, but not the ACL's or rules on any single hop between them. Can you snoop on the destination machine for UDP packets from your vpn client?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 4

Assisted Solution

by:urgoll
urgoll earned 166 total points
Comment Utility
You have a typo in your UDP line:
> blcok return-rst in log quick proto udp from any to any port = 1812

the first word has inverted letters. Could this be the problem ?
0
 

Author Comment

by:gs_kanata
Comment Utility
Hi urgoll,

It is typo here. The rule file has the correct word as "block". :-)

Thanks,
0
 

Author Comment

by:gs_kanata
Comment Utility
Hi Rowley:

This is snoop result. But this time the IPPx stream was sent within the company LAN, not via VPN.  As you could see, there is difference between TCP and UDP packets. The latter has missing a lot. Could you explain?

alg952# snoop 47.128.185.70
Using device /dev/ce (promiscuous mode)

user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 8471)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 8471)
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 220 alg952 FTP ser
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 221 You could at lea
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944



user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 9751)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 9751)

0
 

Author Closing Comment

by:gs_kanata
Comment Utility
The problem is not fully answered.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now