Re: weird ports on some requests.
Not sure where those port 6 packets are coming from, but: I've seen tftp implementations that do funny things with port numbers. Specifically, if C is client and S is server, C -- S src-port=N1 dst-port=69 S -- C src-port=N2 dst-port=N1 where both N1 and N2 are high numbers. the point is that the returning packets were NOT showing up with src-port=69 as one would expect but with some dynamic high port number N2, which messed up my filtering at the time. I thought this was relevant but your email seems to indicate high dst-port numbers so maybe it's something else. HTH, Avishai --- Shay Hugi [EMAIL PROTECTED] wrote: Hi.. I'm using cisco access lists to deny users with cable modems to access our network. The problem is: I needed to add the services the users allowed to do when they are using our internal systems. some of them is... modem sync.. (DHCP requests from both modem user's computer.) so iv'e added the list of ports needed. bootps, tftp, time. to both our CNR's 172.19.2.5, 172.19.4.5. ... . access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.4.5 eq bootps access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.2.5 eq bootps access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.4.5 eq tftp access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.2.5 eq tftp access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.4.5 eq time access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.2.5 eq time ... .. access-list 111 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255 access-list 111 permit ip any any And the customers modems just didn't went online... So i brought a GI modem with internal modem webpage so i'll be able to see in what status he is being blocked. and i've also went to debugging mode on the router. snooped a bit. and i saw there are requests from the modems to ports that are higher than 6... So i've also enabled port 6 and greater. so now i solved the problem. access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.4.5 gt 6 access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.2.5 gt 6 .. But... I still wanna know why do i need those ports open? And which service is using them? Thanks -Shay Hugi -Mpthrill.com --__--__-- ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls End of Firewalls Digest -- Firewalls mailing list - [ [EMAIL PROTECTED] ] To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html = Avishai Wool, Ph.D., Chief Scientist Co-Founder, Lumeta Corp. http://research.lumeta.com/yash/ http://www.eng.tau.ac.il/~yash [EMAIL PROTECTED] Tel: +972-3-640-7206 Fax: +972-3-640-7095 ** Want to audit or debug your firewall's policy? ** Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- Firewalls mailing list - [ [EMAIL PROTECTED] ] To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html
Re: weird ports on some requests.
Avishai Wool wrote: Not sure where those port 6 packets are coming from, but: I've seen tftp implementations that do funny things with port numbers. Specifically, if C is client and S is server, C -- S src-port=N1 dst-port=69 S -- C src-port=N2 dst-port=N1 That's how TFTP works. It negotiates dynamic port numbers to use in the file transfer. It gets a LOT more interesting when the TFTP server chooses ports in the 1024--1 range. (Argh!) From http://www.ietf.org/rfc/rfc1350.txt page 5: 1. Host A sends a WRQ to host B with source= A's TID, destination= 69. 2. Host B sends a ACK (with block number= 0) to host A with source= B's TID, destination= A's TID. Where TID is Transaction ID, which is to be randomly chosen; the standard places no constraints on the TIDs other than that they should be 1--65535 except for 69. The TIDs are used as port numbers. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Senex semper diu dormit -- Firewalls mailing list - [ [EMAIL PROTECTED] ] To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html
weird ports on some requests.
Hi.. I'm using cisco access lists to deny users with cable modems to access our network. The problem is: I needed to add the services the users allowed to do when they are using our internal systems. some of them is... modem sync.. (DHCP requests from both modem user's computer.) so iv'e added the list of ports needed. bootps, tftp, time. to both our CNR's 172.19.2.5, 172.19.4.5. ... . access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.4.5 eq bootps access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.2.5 eq bootps access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.4.5 eq tftp access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.2.5 eq tftp access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.4.5 eq time access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.2.5 eq time ... .. access-list 111 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255 access-list 111 permit ip any any And the customers modems just didn't went online... So i brought a GI modem with internal modem webpage so i'll be able to see in what status he is being blocked. and i've also went to debugging mode on the router. snooped a bit. and i saw there are requests from the modems to ports that are higher than 6... So i've also enabled port 6 and greater. so now i solved the problem. access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.4.5 gt 6 access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.2.5 gt 6 .. But... I still wanna know why do i need those ports open? And which service is using them? Thanks -Shay Hugi -Mpthrill.com --__--__-- ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls End of Firewalls Digest -- Firewalls mailing list - [ [EMAIL PROTECTED] ] To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html