Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2482] Some Wireshark Firewall ACL Rules are off-the-mark

Date: Mon, 21 Apr 2008 12:59:00 -0700 (PDT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2482





--- Comment #5 from Priscilla Oppenheimer <po@xxxxxxxxxxxxx>  2008-04-21 12:58:58 GMT ---
Yes, I know you can choose which address to use in the ACL using the "Filter"
pop-down
menu


I have the Inbound checkbox checked. So what does "egress" mean in that case?
The reply back??

Packet:

Internet Protocol, Src: 192.168.1.141
Dst: 192.168.1.123
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Differentiated Services Codepoint: Default (0x00)
Total Length: 60
Identification: 0x1da1 (7585)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 32
Protocol: TCP (0x06)
Header checksum: 0xb8c2 [correct]
Source: 192.168.1.141
Destination: 192.168.1.123
Transmission Control Protocol, Src Port: 48150 (48150), Dst Port: tcpmux (1),
Seq: 0, Len: 0
Source port: 48150 (48150)
Destination port: tcpmux (1)


With Inbound and Deny checked and using the pull-down menu that says
"192.168.1.141 + TCP port 48150," the inbound rule created by Wireshark is:


access-list NUMBER deny tcp host 192.168.1.123 any eq 1


That packet wouldn't occur on ingress or egress or anywhere on the wire (in
relation to the packet above, anyway).

The ingress would be:

access-list NUMBER deny tcp host 192.168.1.141 any eq 1

The packet back (if the target were to reply) would be:

access-list NUMBER deny tcp host 192.168.1.123 any eq 48150

See what I'm getting at??



I can't get wireshark to compose the rule I really want, which is to block
ingress traffic into my Internet-facing interface on my border firewall from
the evil-doer (192.168.1.141) who is sending traffic to port 1. This is what
the rule should be:

access-list NUMBER deny tcp host 192.168.1.141 any eq 1


Unchecking inbound helps a little, but it creates a rule that says any (instead
of my specific sender) and a specific recipient (when I want any).

access-list NUMBER deny tcp any host 192.168.1.123 eq 1


Using the other pull-down menu (192.168.1.123 + TCP port 1) also doesn't create
what I want. In fact, it creates the same rules! Is that a bug?


And this is a problem for general-purpose traffic, not just traffic to port 1.

It's no biggie. I can edit the rules, but I think there might be some bugs
worth investigating.

Thanks.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.