Since these packets are blocked by default they won't get in, however
the default logging profile is "log all rejects". So you need to
create an explicit Remote Access filter to "block but don't log"
these broadcast packets.
Block Compaq Web-based Management Broadcast Packets
Deny ANY UDP ("no" for logging).
src: ANY_IP
dest: ANY_IP port 2301 (and check the Broadcast box)
Make sure it gets inserted before the last "catch all filter"
Paul
>
>Hi all,
>
>I have a query for you all. The ISP where my firewall and servers reside
>has a number of machines that are broadcasting UDP packets (port 2301)
>across the network (as seen below):
>
>17 5 Aug 6 04:26:02 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>17 5 Aug 6 04:26:05 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>17 5 Aug 6 04:26:11 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>17 5 Aug 6 04:26:22 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>17 5 Aug 6 04:26:23 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>17 5 Aug 6 04:26:34 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>17 5 Aug 6 04:26:36 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>17 5 Aug 6 04:26:38 FILTER: Remote access filter blocks: UDP bcast xl0
>[x.x.x.x/2301]->[255.255.255.255/2301] l=12.
>
>The service on port 2301 appears to be a "Compaq Web-based Management"
>service. These machines are not under my control and are sending these
>packets every few minutes. I believe that there is a possible security risk
>involved here (which you may be able to clarify), not for my machines in
>specific, but possibly other machines not behind the firewall at the ISP.
>This service is external facing and anyone can access it! This Compaq web
>service does not exist on any of my equipment so there is not issue with
>respect to that.
>
>Now, here's the question...
>
>My log files are growing extremely large as a result of this frequent
>occurrence. Is there a way to temporarily stop the firewall from logging
>the rejection of these *specific* packets? I am not saying i want to allow
>them through the firewall, just that i do not want them logged as i may be
>missing more important warnings due to the massive log files.
>
>As usual all comments / observations are fully appreciated.
>
>TIA,
>
>Gerald.
>----------------------------------------------
>To Unsubscribe: send mail to [EMAIL PROTECTED]
>with "unsubscribe gb-users your_email_address
>in the body of the message
--
----------------------------------------------------------------------------
Paul Emerson Tel: +1.407.380.0220 x106
Global Technology Associates, Inc. Fax: +1.407.380.6080
3505 Lake Lynda Drive Mobile: +1.407.310.8563
Suite 109 Email: [EMAIL PROTECTED]
Orlando, Florida 32817 USA Web: http://www.gta.com
Mobile Email: [EMAIL PROTECTED]
----------------------------------------------------------------------------
