Re: Port 0 oddities

[niels () euro net (Niels Bakker)]

Quoth Simon Halsall:

> I've been off bugtraq for a couple of weeks but I just saw these messages. I
> have recently been putting logging into our cisco's rule set so that I can see
> what traffic is being passed through our network. I spotted traffic that
> appeared to be missed by the rules as it had src port 0 and dst port 0.

On cisco-nsp () qual net I postulated that IOS only logs port numbers when it
needed to look at them in a previous access-list <n> entry.

If you have

        access-list 105 deny ip any any log-input

as the last entry in an ACL, you could try changing that to

        access-list 105 deny udp any range 1 65535 any range 1 65535 log-input
        access-list 105 deny tcp any range 1 65535 any range 1 65535 log-input
        access-list 105 deny ip any any log-input

instead.  It solved the problem for me - I now see port numbers logged.

> Further investigation showed that it was ssh that was causing this. I have
> looked at the packets using tcpdump and they look find and what I would expect
> but the cisco is still reporting packets from 0 to 0.

On a related note, it amazes me what amounts of packets with bogus source
addresses customers unleash upon us just by misconfiguration of their
WinGate proxies and thus leaking 192.168.x.y addresses.  Too bad
Livingston^WLucent's ChoiceNet doesn't have an option to automatically
drop packets with a source address other than the one assigned to the
customer on that dialup port...

Take care,

--
Niels Bakker,                          * *      EuroNet Internet BV
Network Operations                   *     *    Herengracht 208-214
                                    *           1016 BS  Amsterdam
NJB9                               *            +31 (0)20 535 5555