blocking incoming udp packets
in [Firewalls]
|
From: Todd H. on 9 Jul 2008 14:06 JClark <jclark(a)nomail.invalid> writes: > Returning to the original question, a summary, as I see it (not > necessarily correctly): > > It seems the router is sending udp packets to 255.255.255.255 (both > source and destination ports = 520, or to 192.168.1.255 (source port > ranging from 7000 to 7259, and destination port 162. > > I have no idea what this all means. UDP 162 is the SNMP trap port. If you're not familiar with simple network management protocol, this traffic to 162 may simply be the network device attempting to send traps to be logged by an SNMP management station. UDP 520 is RIP routing. The router is advertising routes with this exceedingly simple, easy to spoof protocol. Both should be functionality that can be disabled in the source network device. Best Regards, -- Todd H. http://www.toddh.net/
From: JClark on 9 Jul 2008 21:17 On Wed, 09 Jul 2008 13:06:15 -0500, comphelp(a)toddh.net (Todd H.) wrote: >JClark <jclark(a)nomail.invalid> writes: > >> Returning to the original question, a summary, as I see it (not >> necessarily correctly): >> >> It seems the router is sending udp packets to 255.255.255.255 (both >> source and destination ports = 520, or to 192.168.1.255 (source port >> ranging from 7000 to 7259, and destination port 162. >> >> I have no idea what this all means. > >UDP 162 is the SNMP trap port. If you're not familiar with simple >network management protocol, this traffic to 162 may simply be the >network device attempting to send traps to be logged by an SNMP >management station. > >UDP 520 is RIP routing. The router is advertising routes with this >exceedingly simple, easy to spoof protocol. > >Both should be functionality that can be disabled in the source >network device. > >Best Regards, >Both should be functionality that can be disabled in the source >network device. Sounds like good advice. I'll work on the Linksys setup with their web-based configuration program. I'm still not understanding it all in depth, but your comments and the earlier replies have given me a good base to work with. Thank you. Jack
From: JClark on 9 Jul 2008 21:24 On Wed, 9 Jul 2008 12:32:42 -0500, VanguardLH <V(a)nguard.LH> wrote: >JClark wrote: > >> On Tue, 8 Jul 2008 16:00:45 -0500, VanguardLH <V(a)nguard.LH> wrote: >> >>>JClark wrote: >>> >>>> VanguardLH wrote: >>>> >>>>> Is UPnP enabled in the router? Try disabling it or check that it is >>>>> disabled. >>>> >>>> Yes, UPnP is disabled in the router. >>> >>>I'm wondering in "2008/07/08, 05:40:15.921, GMT -0400, 2010, Device 3" >>>as to what is "device 3". Might it be whatever is plugged into the port >>>numbered 3 on the router? If so, is that your host or another one? If >>>another one, try yanking the cable out of port #3 on the router to see >>>if it all quiets down. >> Hello VanguardLH, >> >> The firewall (Deerfield Visnetic) recognizes and lists four devices or >> "adapters". >> #1 is labeled \DEVICE\NDISWANBH (? a WAN miniport) >> # 2 is labeled Dialup Adapter >> #3 is labeled Local Area Connection >> #4 is labeled Local Area Connection >> >> (#3 and #4 correspond to two LAN connections on the motherboard, which >> correspond to two networking adapters seen in Device Manager. Only the >> one corresponding to Local Area Connection #3 on the firewall is being >> used.) >> >> I have configured the firewall to block everything on adapters #1 >> and #2 and #4. >> >> The one I use is Device #3, LAN. >> >> Returning to the original question, a summary, as I see it (not >> necessarily correctly): >> >> It seems the router is sending udp packets to 255.255.255.255 (both >> source and destination ports = 520, or to 192.168.1.255 (source port >> ranging from 7000 to 7259, and destination port 162. >> >> I have no idea what this all means. >> >> Again, I appreciate your help. >> >> Jack > >Oops, my bad. I thought the "log" was from the router's firewall, not >from your software firewall on your intranet host. Have you checked >your router's logs? Did you enable logging in the router? Sometimes >the router's logs are not so easy to read plus it might be limited in >the number of records retained. WallWatcher works with some routers to >extract their logs so you can review them locally. Nothing unusual in the router logs. Thanks for suggestion. Jack
From: JClark on 9 Jul 2008 21:28 On Wed, 09 Jul 2008 13:06:15 -0500, comphelp(a)toddh.net (Todd H.) wrote: >JClark <jclark(a)nomail.invalid> writes: > >> Returning to the original question, a summary, as I see it (not >> necessarily correctly): >> >> It seems the router is sending udp packets to 255.255.255.255 (both >> source and destination ports = 520, or to 192.168.1.255 (source port >> ranging from 7000 to 7259, and destination port 162. >> >> I have no idea what this all means. > >UDP 162 is the SNMP trap port. If you're not familiar with simple >network management protocol, this traffic to 162 may simply be the >network device attempting to send traps to be logged by an SNMP >management station. > >UDP 520 is RIP routing. The router is advertising routes with this >exceedingly simple, easy to spoof protocol. > >Both should be functionality that can be disabled in the source >network device. > >Best Regards, Todd, Some good news. I was able to disable RIP routing in the router, and now all the traffic over UDP 520 has stopped. Now I need to work on the SNMP 162. It isn't quite as clear. But it seems I'm on the right track. Many thanks again. Jack
From: Todd H. on 9 Jul 2008 23:14 JClark <jclark(a)nomail.invalid> writes: > On Wed, 09 Jul 2008 13:06:15 -0500, comphelp(a)toddh.net (Todd H.) > wrote: > >>JClark <jclark(a)nomail.invalid> writes: >> >>> Returning to the original question, a summary, as I see it (not >>> necessarily correctly): >>> >>> It seems the router is sending udp packets to 255.255.255.255 (both >>> source and destination ports = 520, or to 192.168.1.255 (source port >>> ranging from 7000 to 7259, and destination port 162. >>> >>> I have no idea what this all means. >> >>UDP 162 is the SNMP trap port. If you're not familiar with simple >>network management protocol, this traffic to 162 may simply be the >>network device attempting to send traps to be logged by an SNMP >>management station. >> >>UDP 520 is RIP routing. The router is advertising routes with this >>exceedingly simple, easy to spoof protocol. >> >>Both should be functionality that can be disabled in the source >>network device. >> >>Best Regards, > Todd, > Some good news. I was able to disable RIP routing in the router, and > now all the traffic over UDP 520 has stopped. > Now I need to work on the SNMP 162. It isn't quite as clear. > But it seems I'm on the right track. > Many thanks again. Disabling SNMP in general on the device is a good idea if you're not using it. Did I miss in this thread where the make/model of the router was mentioned? -- Todd H. http://www.toddh.net/
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 5 Prev: Error 80042109 on sending mails Next: Setting up FTP Service |