[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: UDP Port 0 not blockable

Hi there,

> Now the weird problem is that I can't for my life block these packets!
> I've tried blocking them like this:
> iptables -I INPUT -s y.y.y.y -j DROP
> And the same for OUTPUT and FORWARD, and I've tried blocking 
> on UDP port
> 0, but they still come in.
You can't stop the packets from coming to your machine. If your IDS
(snort) is listening on the outside interface, then you'll see the
packets regardless if you drop them or not.
If the packets are addressed to the firewall/ids machine itself use the
INPUT chain.
If they are addressed to somebody inside use the FORWARD chain.

> I see them with snort, even when the interface is not in promiscious
> mode. What can I do? I'm stuck.
The promiscous mode only changes if you see or not the traffic not
addressed to you on the datalink layer. E.g. hosts A, B and C are
connected to an ethernet hub. B and C exchange some information. If you
run a sniffer on A you won't see anything _unless_ you enable
promiscious mode on the ethernet card of A.
If you are not in promiscous mode you still see all traffic that is
addressed to you and the broadcasts/multicasts on datalink layer. That
includes all traffic routed through the box.

Take a peek at 
iptables -L INPUT -nvx
iptables -L FORWARD -nvx
If the byte and packet counters increase over time it means that you
drop some the traffic now.
If the counters are not zero it means that you have dropped some traffic
since you inserted the rule or cleared the counters.

Try inserting a -s y.y.y.y -j LOG rule just before the -s y.y.y.y -j
DROP rule. If it logs anything to the kernel log (dmesg or tail
/var/log/kern.log) then you in fact drop the traffic.

Try sniffing where the traffic should be filtered (maybe on the internal
interface). If you can't see it there, obviously you have dropped it.

Best regards,
Boyan Krosnov, CCIE#8701
just another techie speaking for himself

Reply to: