?
Solved

Why not log message for upd protocal rule?

Posted on 2008-10-06
7
Medium Priority
?
500 Views
Last Modified: 2013-12-27
I have created an IPFilter rule file. Most rules are TCP protocal based while few are for UDP. For instnce,

block return-rst in log quick proto tcp from any to any port = 1521
blcok return-rst in log quick proto udp from any to any port = 1812

The log file is configured as /var/log/ipflog through /etc/syslog.conf file.

I am using freeware IPPx to send packets to my test machine. The IPPx GUI tool can send both TCP and UPD packets. However, I can see the log message for matched TCP ports, but NOT for UDP ports. So I can not verify whether the IPFilter has filtered out traffic to that UDP. Do you know why?

Thanks!
0
Comment
Question by:gs_kanata
  • 4
  • 2
7 Comments
 
LVL 13

Accepted Solution

by:
Rowley earned 1002 total points
ID: 22657127
Can you confirm that the udp traffic is reaching your server?
Are there any devices between your port scanner and destination host?
0
 

Author Comment

by:gs_kanata
ID: 22658550
I can only confirm that TCP traffic is reaching to my test server, as they are seen in the IPFilter log file. As for the UDP traffic, it comes from the same testing tool, IPPx, with just different attribute selection. This implies that the topology of the network between the IPPx and the test sever is the same. The IPPx is installed my home labtop which access the company network via VPN. Why can NOT the UDP traffic reach the server? I am confused here.

0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 1002 total points
ID: 22658933
"This implies that the topology of the network between the IPPx and the test sever is the same"

Yes, but not the ACL's or rules on any single hop between them. Can you snoop on the destination machine for UDP packets from your vpn client?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 4

Assisted Solution

by:urgoll
urgoll earned 498 total points
ID: 22659100
You have a typo in your UDP line:
> blcok return-rst in log quick proto udp from any to any port = 1812

the first word has inverted letters. Could this be the problem ?
0
 

Author Comment

by:gs_kanata
ID: 22705704
Hi urgoll,

It is typo here. The rule file has the correct word as "block". :-)

Thanks,
0
 

Author Comment

by:gs_kanata
ID: 22706793
Hi Rowley:

This is snoop result. But this time the IPPx stream was sent within the company LAN, not via VPN.  As you could see, there is difference between TCP and UDP packets. The latter has missing a lot. Could you explain?

alg952# snoop 47.128.185.70
Using device /dev/ce (promiscuous mode)

user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 8471)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 8471)
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 220 alg952 FTP ser
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 221 You could at lea
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944



user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 9751)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 9751)

0
 

Author Closing Comment

by:gs_kanata
ID: 31503708
The problem is not fully answered.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month14 days, 13 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question