Solved

Why not log message for upd protocal rule?

Posted on 2008-10-06
7
486 Views
Last Modified: 2013-12-27
I have created an IPFilter rule file. Most rules are TCP protocal based while few are for UDP. For instnce,

block return-rst in log quick proto tcp from any to any port = 1521
blcok return-rst in log quick proto udp from any to any port = 1812

The log file is configured as /var/log/ipflog through /etc/syslog.conf file.

I am using freeware IPPx to send packets to my test machine. The IPPx GUI tool can send both TCP and UPD packets. However, I can see the log message for matched TCP ports, but NOT for UDP ports. So I can not verify whether the IPFilter has filtered out traffic to that UDP. Do you know why?

Thanks!
0
Comment
Question by:gs_kanata
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 13

Accepted Solution

by:
Rowley earned 334 total points
ID: 22657127
Can you confirm that the udp traffic is reaching your server?
Are there any devices between your port scanner and destination host?
0
 

Author Comment

by:gs_kanata
ID: 22658550
I can only confirm that TCP traffic is reaching to my test server, as they are seen in the IPFilter log file. As for the UDP traffic, it comes from the same testing tool, IPPx, with just different attribute selection. This implies that the topology of the network between the IPPx and the test sever is the same. The IPPx is installed my home labtop which access the company network via VPN. Why can NOT the UDP traffic reach the server? I am confused here.

0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 334 total points
ID: 22658933
"This implies that the topology of the network between the IPPx and the test sever is the same"

Yes, but not the ACL's or rules on any single hop between them. Can you snoop on the destination machine for UDP packets from your vpn client?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 4

Assisted Solution

by:urgoll
urgoll earned 166 total points
ID: 22659100
You have a typo in your UDP line:
> blcok return-rst in log quick proto udp from any to any port = 1812

the first word has inverted letters. Could this be the problem ?
0
 

Author Comment

by:gs_kanata
ID: 22705704
Hi urgoll,

It is typo here. The rule file has the correct word as "block". :-)

Thanks,
0
 

Author Comment

by:gs_kanata
ID: 22706793
Hi Rowley:

This is snoop result. But this time the IPPx stream was sent within the company LAN, not via VPN.  As you could see, there is difference between TCP and UDP packets. The latter has missing a lot. Could you explain?

alg952# snoop 47.128.185.70
Using device /dev/ce (promiscuous mode)

user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 8471)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 8471)
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     TCP D=1050 S=1943 Syn Seq=387795453 Len=0 Win=64512 Options=<mss 1460,nop,nop,sackOK>
    alg952 -> user-3.dummy.company.com TCP D=1943 S=1050 Rst Ack=387795454 Win=0
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 220 alg952 FTP ser
user-3.dummy.company.com -> alg952     FTP C port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944
    alg952 -> user-3.dummy.company.com FTP R port=1944 221 You could at lea
    alg952 -> user-3.dummy.company.com FTP R port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944
user-3.dummy.company.com -> alg952     FTP C port=1944



user-3.dummy.company.com -> alg952     ICMP Echo request (ID: 512 Sequence number: 9751)
    alg952 -> user-3.dummy.company.com ICMP Echo reply (ID: 512 Sequence number: 9751)

0
 

Author Closing Comment

by:gs_kanata
ID: 31503708
The problem is not fully answered.
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question