Why not log message for upd protocal rule?

I have created an IPFilter rule file. Most rules are TCP protocal based while few are for UDP. For instnce,

block return-rst in log quick proto tcp from any to any port = 1521
blcok return-rst in log quick proto udp from any to any port = 1812

The log file is configured as /var/log/ipflog through /etc/syslog.conf file.

I am using freeware IPPx to send packets to my test machine. The IPPx GUI tool can send both TCP and UPD packets. However, I can see the log message for matched TCP ports, but NOT for UDP ports. So I can not verify whether the IPFilter has filtered out traffic to that UDP. Do you know why?

Thanks!
gs_kanataAsked:
Who is Participating?
 
RowleyConnect With a Mentor Commented:
Can you confirm that the udp traffic is reaching your server?
Are there any devices between your port scanner and destination host?
0
 
gs_kanataAuthor Commented:
I can only confirm that TCP traffic is reaching to my test server, as they are seen in the IPFilter log file. As for the UDP traffic, it comes from the same testing tool, IPPx, with just different attribute selection. This implies that the topology of the network between the IPPx and the test sever is the same. The IPPx is installed my home labtop which access the company network via VPN. Why can NOT the UDP traffic reach the server? I am confused here.

0
 
RowleyConnect With a Mentor Commented:
"This implies that the topology of the network between the IPPx and the test sever is the same"

Yes, but not the ACL's or rules on any single hop between them. Can you snoop on the destination machine for UDP packets from your vpn client?
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
urgollConnect With a Mentor Commented:
You have a typo in your UDP line:
> blcok return-rst in log quick proto udp from any to any port = 1812

the first word has inverted letters. Could this be the problem ?
0
 
gs_kanataAuthor Commented:
Hi urgoll,

It is typo here. The rule file has the correct word as "block". :-)

Thanks,
0
 
gs_kanataAuthor Commented:
Hi Rowley:

This is snoop result. But this time the IPPx stream was sent within the company LAN, not via VPN.  As you could see, there is difference between TCP and UDP packets. The latter has missing a lot. Could you explain?

alg952# snoop 47.128.185.70
Using device /dev/ce (promiscuous mode)

user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 8471)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 8471)
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 220 alg952 FTP ser
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 221 You could at lea
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944



user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 9751)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 9751)

0
 
gs_kanataAuthor Commented:
The problem is not fully answered.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.