This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropping MS RPC traffic

Hi, in ASL 3.219, I am having trouble dropping traffic on port 135 (MS RPC, mostly from the Blaster worm, I believe).

I have defined a service
MS-RPC with source:any, dest:any, tcp/udp, port 135, and added a rule (#1) to DROP it, but it is still showing up in the logs:
Code:

 17:25:20 216.63.220.92 2081 ->  123.123.123.70  135 TCP SYN

It is listed on the filter livelog page as:
Code:

Chain USR_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3014  145K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1024:65535 dpt:135

How can I get asl to not log these packets?

Thanks

This thread was automatically locked due to age.

Parents

0 Simon Shaw over 22 years ago

Your filter is incorrect.

When specifying traffic coming into the system like this you need packet filter to read:

From: ANY
Service: RPC
Destination: Red Interface (External)
DROP

Not Destination: Any
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 22 years ago

Your filter is incorrect.

When specifying traffic coming into the system like this you need packet filter to read:

From: ANY
Service: RPC
Destination: Red Interface (External)
DROP

Not Destination: Any
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ClausP over 22 years ago in reply to Simon Shaw

Hey, why is the filter of barrygold incorrect ?!? [;)]

The rule your are posting blocks only RPC traffic from outside to inside and not RPC traffic in different inside subnets.

Btw. if anyone is using an ip transit net your filter does not work ! [;)]

greetz
Claus
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 22 years ago in reply to ClausP

I'm not using MASQ or NAT, so I believe blocking only the ext addr would not be very helpful.

I have now tried blocking all internal dest addrs, but that isn't working either!

I already have a similar rule for {netbios}, and it seems to work fine.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 22 years ago in reply to BarryG

OK, I just noticed something else...

With the drop rule in place, the only blaster scans showing up are against the ips of the 3 nics in the ASL box (.1, .70, and .74)

So, do I need to add more rules to drop these packets?
dest:ANY won't work?

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 22 years ago in reply to BarryG

OK, apparently I needed to define more rules...

A group with the addressess of all the nic's in the firewall seems to help... I probably should add another one for the broadcast and network addresses for each interface also.
Cancel
Vote Up 0 Vote Down

Cancel