RE: UDP Port 0 not blockable
On ons, 2003-05-14 at 11:01, Boyan Krosnov wrote:
> Hi there,
> > Now the weird problem is that I can't for my life block these packets!
> > I've tried blocking them like this:
> > iptables -I INPUT -s y.y.y.y -j DROP
> > And the same for OUTPUT and FORWARD, and I've tried blocking
> > on UDP port
> > 0, but they still come in.
> You can't stop the packets from coming to your machine. If your IDS
> (snort) is listening on the outside interface, then you'll see the
> packets regardless if you drop them or not.
Now, this is where my understanding differs from yours. As far as I
understand, iptables works in kernelland, and will drop the packets
without them ever reaching userland. Snort, on the other hand, lives and
works in userland, and should NOT see packets dropped by the kernel.
I've made some very simple tests, but they support my belief. Are you
100% certain that snort should be able to see the packets even if I drop
> If the packets are addressed to the firewall/ids machine itself use the
> INPUT chain.
> If they are addressed to somebody inside use the FORWARD chain.
> > I see them with snort, even when the interface is not in promiscious
> > mode. What can I do? I'm stuck.
> The promiscous mode only changes if you see or not the traffic not
> addressed to you on the datalink layer. E.g. hosts A, B and C are
> connected to an ethernet hub. B and C exchange some information. If you
> run a sniffer on A you won't see anything _unless_ you enable
> promiscious mode on the ethernet card of A.
> If you are not in promiscous mode you still see all traffic that is
> addressed to you and the broadcasts/multicasts on datalink layer. That
> includes all traffic routed through the box.
Ah! Cleared that up for me. Thanks.
> Try sniffing where the traffic should be filtered (maybe on the internal
> interface). If you can't see it there, obviously you have dropped it.
Well, no packets destined to UDP port 0 should be routed to the inside,
so they should be dropped anyhow.