[fw-wiz] udp port 0



thanks alot guys for your help
but after applying
deny tcp any range 0 65535 any range 0 65535 log
deny udp any range 0 65535 any range 0 65535 log
every thing seem to be working fine
although there were specific rules for denying ip addresses i see in
the logs like deny udp 192.168.1.0 0.0.0.255 any log...but it seems
that this rule was not enough to identify the correct port

many thanks to you Koug and many thanks to all of you guys

regards,



On Feb 6, 2008 10:39 AM, John Kougoulos <koug@xxxxxxxxxxx> wrote:

Either the packet is a fragment (so there is no source - dest port),
or you need to specify the "deny ip any any log" statement as follows, so
that it logs correctly the port numbers:

deny tcp any range 0 65535 any range 0 65535 log
deny udp any range 0 65535 any range 0 65535 log
deny ip any any log


--koug


On Mon, 4 Feb 2008, shadow floating wrote:

Hi list
i keep getting logs from my IOS router 12.4 T about denying udp packet
ip a.a.a.a (0) --> b.b.b.b (0)
i kept googling about udp port zero and it's apperantly not used , at
least legitimately. I also inspected the traffic from the logged ip
address via wireshark and it never captures and udp packet with src or
dst port 0, but i still get these logs all day long.
anyone got idea about what it? is it some kind like udp tracerouting ?
thanks alot

regards,

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] udp port 0
    ... next available port for some Unices ... i keep getting logs from my IOS router 12.4 T about denying udp packet ... but i still get these logs all day long. ...
    (Firewall-Wizards)
  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
    (microsoft.public.win2000.security)
  • Re: Identifying Internet Attacks
    ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
    (microsoft.public.inetserver.iis.security)
  • Re: Question about file permissions
    ... system log files. ... the system logs. ... such _may_ offer a better chance of connecting. ... to connect know about the non-standard port. ...
    (alt.os.linux.suse)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
    (comp.security.firewalls)