Re: denying tcp/0

Thu, 20 Jul 2000 07:37:48 -0700 

> Date: Wed, 19 Jul 2000 13:58:32 -0500
> From: "Gary Maltzen" <[EMAIL PROTECTED]>
> Subject: denying tcp/0

> I keep seeing (and denying) tcp packets with both source and
destination
> port zero; can somebody tell me what purpose these serve?

Gary,
    tcp port 0 on a Cisco router is a bug.  If you use an access
list and do NOT put a TCP port in one of the lines, Cisco, to
improve the speed of the algorithm, will not pull the TCP port and
will thus display it as zero. The Cisco IOS is lying, it really
isn't port 0 at all.  After investigating, I found it was usually
another port like 80 or something else.
    You have two choices.  Choice the first: Put a TCP eq <some
port> on the end of one of your access-list lines.  Choice the
second: Ignore the port number, since the real number isn't getting
pulled.
    And to seal it, here is the Cisco info it took me 2 months to
get when I found this problem:

> This is the case opened for issues with the port # being zero
> in your log.

> BUG CSCdj36500 was opened for this issue and it was junked with
> the following:

> We only log the ports, both source and destination, if they are
> actually extracted from the data packet for access list
> processing. In this case the access list does not specify port
> numbers to be checked, so in order to speed up access list
> processing, we don't extract them from the packet. That's why
> they print out as zero.

> If you modify the access list to include port numbers for any of
> the items within the access-list, for example:

> "access list 113 permit tcp any any eq telnet",

> then the port numbers, both source and destination will be logged.

And finally, another example from Cisco:

> Here are some other examples:

> access-list 111 permit tcp any gt 0 any gt 0 log
> access-list 111 permit udp any gt 0 any gt 0 log
> access-list 111 permit ip any any 0 log

Good Luck!

--               Terry
Terry Lee Moore                         [EMAIL PROTECTED]
Systems Administrator                   303-541-6737 voice
U S WEST, Advanced Technologies         303-405-9914 pager



-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to