RE: Access-list - Deny TFTP

From: Scott Morris (smorris@xxxxxxxxxxxxxx)
Date: Sat Jun 16 2001 - 11:58:41 GMT-3

• Next message: Luke: "Trace UDP Ports"
• Previous message: tom cheung: "RE: Access-list - Deny TFTP"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Next in thread: Willy Schoots: "RE: Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
First, if you do an extended trace on a Cisco box... (just type "trace" in
privileged mode), one of the options you'll see is port number (default is
34000'something).

Second, I just hooked up my trusty-rusty sniffer and did a tracert from my
Win2k box and watched the ICMP echo packets get originated....
Alternatively, I went to a couple routers and did a trace back to my box,
and saw the high-UDP packets come in...

So..... Unfortunately, Jeff's book is incorrect there. Most likely an
editor "corrected" it somewhere along the way. :)

Scott

-----Original Message-----
From: tom cheung [mailto:tkc9789@hotmail.com]
Sent: Saturday, June 16, 2001 10:47 AM
To: smorris@mentortech.com; Earl@dnssystems.com; ccielab@groupstudy.com
Subject: RE: Access-list - Deny TFTP

Scott,
According to Doyle's "Routing TCP/IP Volume II", page 354, "Cisco's trace
use ICMP packets and Microsoft Windows 95 uses UDP packets...".
So which one is correct?

Tom

>From: "Scott Morris" <smorris@mentortech.com>
>Reply-To: "Scott Morris" <smorris@mentortech.com>
>To: "'Earl Aboytes'" <Earl@dnssystems.com>, "'Dean, Justin'"
><Justin.Dean@nrtinc.com>, <ccielab@groupstudy.com>
>Subject: RE: Access-list - Deny TFTP
>Date: Fri, 15 Jun 2001 16:41:48 -0400
>
>It depends. :)
>
>On unix/Cisco, you send out udp packets to a high port (each probe packet
>is
>the same). The port number can be any high port, but usually is something
>above 50000 (REALLY high). The messages coming back in will be ICMP - TTL
>Exceeded (along the way) or ICMP - Port Unreachable (at the final
>destination).
>
>On Windows, you send out regular ICMP echos incrementing the TTL each time,
>so you'll get the ICMP - TTL Exceeded messages back or an ICMP - Echo Reply
>at the final destination.
>
>Enjoy!
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Earl Aboytes
>Sent: Friday, June 15, 2001 4:31 PM
>To: 'Dean, Justin'; 'ccielab@groupstudy.com'
>Subject: RE: Access-list - Deny TFTP
>
>
>Justin,
>I think that you are thinking of the trickiness that is involved with
>blocking traceroute. Traceroute uses udp on a very high port first and
>then
>icmp for the rest. Allowing it in one direction but not the other is very
>tricky.
>Someone correct me if I am wrong but I believe it uses UDP 3000 or higher
>with a ttl that increases by one each time and then waits for the icmp
>error
>to come back.
>
>Packet 1 udp port 3001 ttl=1
>Packet 2 udp port 3002 ttl=2
>And so forth.
>
>
>
> -----Original Message-----
>From: Dean, Justin [mailto:Justin.Dean@nrtinc.com]
>Sent: Tuesday, June 12, 2001 9:34 AM
>To: 'ccielab@groupstudy.com'
>Subject: Access-list - Deny TFTP
>
>I am drawing a blank and I can't remember the proper way to block TFTP in
>an
>access list. Can someone help me out. Thanks,
>
>Justin
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Luke: "Trace UDP Ports"
• Previous message: tom cheung: "RE: Access-list - Deny TFTP"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Next in thread: Willy Schoots: "RE: Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3