[7162] in bugtraq
Re: Port 0 oddities
daemon@ATHENA.MIT.EDU (Niels Bakker)
Thu Jul 2 23:02:15 1998
Date: Thu, 2 Jul 1998 23:53:57 +0200
Reply-To: Niels Bakker <niels@euro.net>
From: Niels Bakker <niels@EURO.NET>
X-To: Simon Halsall <S.Halsall@ERIS.DERA.GOV.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980701170428.23050.qmail@eris.dera.gov.uk>
Quoth Simon Halsall:
> I've been off bugtraq for a couple of weeks but I just saw these messages. I
> have recently been putting logging into our cisco's rule set so that I can see
> what traffic is being passed through our network. I spotted traffic that
> appeared to be missed by the rules as it had src port 0 and dst port 0.
On cisco-nsp@qual.net I postulated that IOS only logs port numbers when it
needed to look at them in a previous access-list <n> entry.
If you have
access-list 105 deny ip any any log-input
as the last entry in an ACL, you could try changing that to
access-list 105 deny udp any range 1 65535 any range 1 65535 log-input
access-list 105 deny tcp any range 1 65535 any range 1 65535 log-input
access-list 105 deny ip any any log-input
instead. It solved the problem for me - I now see port numbers logged.
> Further investigation showed that it was ssh that was causing this. I have
> looked at the packets using tcpdump and they look find and what I would expect
> but the cisco is still reporting packets from 0 to 0.
On a related note, it amazes me what amounts of packets with bogus source
addresses customers unleash upon us just by misconfiguration of their
WinGate proxies and thus leaking 192.168.x.y addresses. Too bad
Livingston^WLucent's ChoiceNet doesn't have an option to automatically
drop packets with a source address other than the one assigned to the
customer on that dialup port...
Take care,
--
Niels Bakker, * * EuroNet Internet BV
Network Operations * * Herengracht 208-214
* 1016 BS Amsterdam
NJB9 * +31 (0)20 535 5555
