[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Why not log message for upd protocal rule?

Posted on 2008-10-06
7
Medium Priority
?
492 Views
Last Modified: 2013-12-27
I have created an IPFilter rule file. Most rules are TCP protocal based while few are for UDP. For instnce,

block return-rst in log quick proto tcp from any to any port = 1521
blcok return-rst in log quick proto udp from any to any port = 1812

The log file is configured as /var/log/ipflog through /etc/syslog.conf file.

I am using freeware IPPx to send packets to my test machine. The IPPx GUI tool can send both TCP and UPD packets. However, I can see the log message for matched TCP ports, but NOT for UDP ports. So I can not verify whether the IPFilter has filtered out traffic to that UDP. Do you know why?

Thanks!
0
Comment
Question by:gs_kanata
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 13

Accepted Solution

by:
Rowley earned 1002 total points
ID: 22657127
Can you confirm that the udp traffic is reaching your server?
Are there any devices between your port scanner and destination host?
0
 

Author Comment

by:gs_kanata
ID: 22658550
I can only confirm that TCP traffic is reaching to my test server, as they are seen in the IPFilter log file. As for the UDP traffic, it comes from the same testing tool, IPPx, with just different attribute selection. This implies that the topology of the network between the IPPx and the test sever is the same. The IPPx is installed my home labtop which access the company network via VPN. Why can NOT the UDP traffic reach the server? I am confused here.

0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 1002 total points
ID: 22658933
"This implies that the topology of the network between the IPPx and the test sever is the same"

Yes, but not the ACL's or rules on any single hop between them. Can you snoop on the destination machine for UDP packets from your vpn client?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 4

Assisted Solution

by:urgoll
urgoll earned 498 total points
ID: 22659100
You have a typo in your UDP line:
> blcok return-rst in log quick proto udp from any to any port = 1812

the first word has inverted letters. Could this be the problem ?
0
 

Author Comment

by:gs_kanata
ID: 22705704
Hi urgoll,

It is typo here. The rule file has the correct word as "block". :-)

Thanks,
0
 

Author Comment

by:gs_kanata
ID: 22706793
Hi Rowley:

This is snoop result. But this time the IPPx stream was sent within the company LAN, not via VPN.  As you could see, there is difference between TCP and UDP packets. The latter has missing a lot. Could you explain?

alg952# snoop 47.128.185.70
Using device /dev/ce (promiscuous mode)

user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 8471)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 8471)
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 220 alg952 FTP ser
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 221 You could at lea
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944



user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 9751)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 9751)

0
 

Author Closing Comment

by:gs_kanata
ID: 31503708
The problem is not fully answered.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question