Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 10834 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall: MS-RPC filtering / UUID

timelord
Is there any way in Sophos UTM Network Protection Firewall to identify, and either permit or reject MS-RPC traffic?

I'm not talking about RPC over HTTP, but a regular RPC traffic (destination port: 1024:65535/tcp)

I want to let clients coming from VPN to talk to domain controllers, but I do not want to open a big hole of 64511 ports for them. Setting a static RPC port range on the server side is not an option.

With Juniper SRX firewall I can very easily use UUID's (Universally Unique IDentifiers) to identify RPC traffic. For example: 

# show groups junos-defaults applications application junos-ms-rpc-uuid-any-tcp 

term t1 protocol tcp uuid ffffffff-ffff-ffff-ffff-ffffffffffff;



{primary:node0}[edit]


Then I can use "junos-ms-rpc-uuid-any-tcp" as a destination port instead of opening a range of ports (1024:65535/tcp), and SRX firewall knows it's a related MS-RPC traffic based on the UUID obtained by the protocol inspection.

Can Sophos UTM work with RPC UUID's?

See the following links for more information about UUID:


This thread was automatically locked due to age.
Parents
  • 0
    Hi Bob,

    I've got some log records for you related to MS-RPC. I've removed that huge RPC port range from allowed traffic, so you can see what I'm talking about. BTW, it's exactly as firebear described:
    [LIST=1]
    • first connection to the destination port 135/tcp
    • then, negotiation about a new port from a dynamic port range of 1024:65535/tcp; let's say the result of that negotiation is a port number 46567/tcp
    • then, connection to the negiotated port, for example 46567/tcp, and the rest of the communication continues over that port
    [/LIST]

    Here is an extract from my Sophos UTM firewall log file: 

    /var/log/packetfilter.log:2013:08:13-13:52:41 juno-1 ulogd[8307]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="22" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4322" dstport="135" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:52:41 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4323" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:52:44 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4323" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:52:50 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4323" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:02 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4325" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:05 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4325" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:11 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4325" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:23 juno-1 ulogd[8307]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="22" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4332" dstport="135" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:23 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4333" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:26 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4333" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:32 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4333" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:43 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4335" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:47 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4335" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:53 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4335" dstport="49154" tcpflags="SYN"


    As you can see, a connection to port 135/tcp is accepted, then ports 49156 and 49154 are negotiated as ports for a further communication. That traffic is however blocked by the firewall, since there's no way Sophos UTM can figure out this is a related traffic. Or at least, I do not know how to let Sophos UTM figure that out.
Reply
  • 0
    Hi Bob,

    I've got some log records for you related to MS-RPC. I've removed that huge RPC port range from allowed traffic, so you can see what I'm talking about. BTW, it's exactly as firebear described:
    [LIST=1]
    • first connection to the destination port 135/tcp
    • then, negotiation about a new port from a dynamic port range of 1024:65535/tcp; let's say the result of that negotiation is a port number 46567/tcp
    • then, connection to the negiotated port, for example 46567/tcp, and the rest of the communication continues over that port
    [/LIST]

    Here is an extract from my Sophos UTM firewall log file: 

    /var/log/packetfilter.log:2013:08:13-13:52:41 juno-1 ulogd[8307]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="22" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4322" dstport="135" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:52:41 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4323" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:52:44 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4323" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:52:50 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4323" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:02 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4325" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:05 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4325" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:11 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4325" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:23 juno-1 ulogd[8307]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="22" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4332" dstport="135" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:23 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4333" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:26 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4333" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:32 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4333" dstport="49156" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:43 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4335" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:47 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4335" dstport="49154" tcpflags="SYN"

    /var/log/packetfilter.log:2013:08:13-13:53:53 juno-1 ulogd[8307]: id="2003" severity="info" sys="SecureNet" sub="packetfilter" name="Packet rejected" action="reject" fwrule="23" initf="ppp8" outitf="eth1" srcmac="0:1a:8c:f0:2b:61" srcip="X.Y.22.10" dstip="X.Y.204.200" proto="6" length="48" tos="0x00" prec="0x00" ttl="127" srcport="4335" dstport="49154" tcpflags="SYN"


    As you can see, a connection to port 135/tcp is accepted, then ports 49156 and 49154 are negotiated as ports for a further communication. That traffic is however blocked by the firewall, since there's no way Sophos UTM can figure out this is a related traffic. Or at least, I do not know how to let Sophos UTM figure that out.
Children
No Data