Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Port 0 oddities

Re: Port 0 oddities

Niels Bakker (nielseuro.net)
Thu, 2 Jul 1998 23:53:57 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dan Jacobowitz: "Re: qpopper2.52"
Previous message: Chris Fletcher: "Re: Port 0 oddities"
In reply to: Simon Halsall: "Re: Port 0 oddities"

Quoth Simon Halsall:

> I've been off bugtraq for a couple of weeks but I just saw these messages. I
> have recently been putting logging into our cisco's rule set so that I can see
> what traffic is being passed through our network. I spotted traffic that
> appeared to be missed by the rules as it had src port 0 and dst port 0.

On cisco-nspqual.net I postulated that IOS only logs port numbers when it
needed to look at them in a previous access-list <n> entry.

If you have

        access-list 105 deny ip any any log-input

as the last entry in an ACL, you could try changing that to

        access-list 105 deny udp any range 1 65535 any range 1 65535 log-input
        access-list 105 deny tcp any range 1 65535 any range 1 65535 log-input
        access-list 105 deny ip any any log-input

instead.  It solved the problem for me - I now see port numbers logged.

> Further investigation showed that it was ssh that was causing this. I have
> looked at the packets using tcpdump and they look find and what I would expect
> but the cisco is still reporting packets from 0 to 0.

On a related note, it amazes me what amounts of packets with bogus source
addresses customers unleash upon us just by misconfiguration of their
WinGate proxies and thus leaking 192.168.x.y addresses.  Too bad
Livingston^WLucent's ChoiceNet doesn't have an option to automatically
drop packets with a source address other than the one assigned to the
customer on that dialup port...

Take care,

--
Niels Bakker,                          * *      EuroNet Internet BV
Network Operations                   *     *    Herengracht 208-214
                                    *           1016 BS  Amsterdam
NJB9                               *            +31 (0)20 535 5555

Next message: Dan Jacobowitz: "Re: qpopper2.52"
Previous message: Chris Fletcher: "Re: Port 0 oddities"
In reply to: Simon Halsall: "Re: Port 0 oddities"