RE: Access-list - Deny TFTP

From: tom cheung (tkc9789@xxxxxxxxxxx)
Date: Sat Jun 16 2001 - 18:28:32 GMT-3

• Next message: Michael Bambic: "Help needed for lab access"
• Previous message: Luke: "SNA and Netbios Filters"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Thanks for the capture. I guess Jeff Doyle made a mistake in his book.

Regards,

tom

>From: "Willy Schoots" <w.schoots@chello.nl>
>Reply-To: "Willy Schoots" <w.schoots@chello.nl>
>To: "tom cheung" <tkc9789@hotmail.com>, <smorris@mentortech.com>,
><Earl@dnssystems.com>, <ccielab@groupstudy.com>
>Subject: RE: Access-list - Deny TFTP
>Date: Sat, 16 Jun 2001 18:27:02 +0200
>
>Have a look below to see what I captured from my LAN using the Cisco trace
>command. Cisco uses high UDP ports together with incrementing TTL values.
>The MS tool (trace not included) uses ECHO ICMP requests. So it works as
>stated in the previous e-mail.
>
>So I guess Jeff Doyle made a little mistake (he confused the two) :-(
>
>Let me know if you need more proof. Use an access-list with log argument to
>see if for yourself if you have access to a couple of routers.
>
>Cheers,
>
>Willy
>
>
>------------------------------------------------------------
>Trace 1(Cisco Trace tool): It only shows a 1 hop trace but it shows the
>principle.
>IP: ----- IP Header -----
> IP:
> IP: Version = 4, header length = 20 bytes
> IP: Type of service = 00
> IP: 000. .... = routine
> IP: ...0 .... = normal delay
> IP: .... 0... = normal throughput
> IP: .... .0.. = normal reliability
> IP: .... ..0. = ECT bit - transport protocol will ignore the
>CE
>bit
> IP: .... ...0 = CE bit - no congestion
> IP: Total length = 28 bytes
> IP: Identification = 12650
> IP: Flags = 0X
> IP: .0.. .... = may fragment
> IP: ..0. .... = last fragment
> IP: Fragment offset = 0 bytes
> IP: Time to live = 1 seconds/hops
> IP: Protocol = 17 (UDP)
> IP: Header checksum = 65AE (correct)
> IP: Source address = [192.168.1.22]
> IP: Destination address = [62.163.34.88]
> IP: No options
> IP:
>UDP: ----- UDP Header -----
> UDP:
> UDP: Source port = 38207
> UDP: Destination port = 33434
> UDP: Length = 8
> UDP: Checksum = C54A (correct)
> UDP: [0 byte(s) of data]
> UDP:
>
>IP: ----- IP Header -----
> IP:
> IP: Version = 4, header length = 20 bytes
> IP: Type of service = 00
> IP: 000. .... = routine
> IP: ...0 .... = normal delay
> IP: .... 0... = normal throughput
> IP: .... .0.. = normal reliability
> IP: .... ..0. = ECT bit - transport protocol will ignore the
>CE
>bit
> IP: .... ...0 = CE bit - no congestion
> IP: Total length = 56 bytes
> IP: Identification = 4452
> IP: Flags = 0X
> IP: .0.. .... = may fragment
> IP: ..0. .... = last fragment
> IP: Fragment offset = 0 bytes
> IP: Time to live = 128 seconds/hops
> IP: Protocol = 1 (ICMP)
> IP: Header checksum = 06A8 (correct)
> IP: Source address = [62.163.34.88]
> IP: Destination address = [192.168.1.22]
> IP: No options
> IP:
>ICMP: ----- ICMP header -----
> ICMP:
> ICMP: Type = 3 (Destination unreachable)
> ICMP: Code = 3 (Port unreachable)
> ICMP: Checksum = 1FD0 (correct)
> ICMP:
> ICMP: [Normal end of "ICMP header".]
> ICMP:
> ICMP: IP header of originating message (description follows)
> ICMP:
> ICMP: ----- IP Header -----
> ICMP:
> ICMP: Version = 4, header length = 20 bytes
> ICMP: Type of service = 00
> ICMP: 000. .... = routine
> ICMP: ...0 .... = normal delay
> ICMP: .... 0... = normal throughput
> ICMP: .... .0.. = normal reliability
> ICMP: .... ..0. = ECT bit - transport protocol will ignore the
>CE bit
> ICMP: .... ...0 = CE bit - no congestion
> ICMP: Total length = 28 bytes
> ICMP: Identification = 12650
> ICMP: Flags = 0X
> ICMP: .0.. .... = may fragment
> ICMP: ..0. .... = last fragment
> ICMP: Fragment offset = 0 bytes
> ICMP: Time to live = 1 seconds/hops
> ICMP: Protocol = 17 (UDP)
> ICMP: Header checksum = 65AE (correct)
> ICMP: Source address = [192.168.1.22]
> ICMP: Destination address = [62.163.34.88]
> ICMP: No options
> ICMP:
> ICMP: [First 8 byte(s) of data of originating message]
> ICMP:
>
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>tom cheung
>Sent: Saturday, June 16, 2001 4:47 PM
>To: smorris@mentortech.com; Earl@dnssystems.com; ccielab@groupstudy.com
>Subject: RE: Access-list - Deny TFTP
>
>
>Scott,
>According to Doyle's "Routing TCP/IP Volume II", page 354, "Cisco's trace
>use ICMP packets and Microsoft Windows 95 uses UDP packets...".
>So which one is correct?
>
>Tom
>
> >From: "Scott Morris" <smorris@mentortech.com>
> >Reply-To: "Scott Morris" <smorris@mentortech.com>
> >To: "'Earl Aboytes'" <Earl@dnssystems.com>, "'Dean, Justin'"
> ><Justin.Dean@nrtinc.com>, <ccielab@groupstudy.com>
> >Subject: RE: Access-list - Deny TFTP
> >Date: Fri, 15 Jun 2001 16:41:48 -0400
> >
> >It depends. :)
> >
> >On unix/Cisco, you send out udp packets to a high port (each probe packet
> >is
> >the same). The port number can be any high port, but usually is
>something
> >above 50000 (REALLY high). The messages coming back in will be ICMP -
>TTL
> >Exceeded (along the way) or ICMP - Port Unreachable (at the final
> >destination).
> >
> >On Windows, you send out regular ICMP echos incrementing the TTL each
>time,
> >so you'll get the ICMP - TTL Exceeded messages back or an ICMP - Echo
>Reply
> >at the final destination.
> >
> >Enjoy!
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> >Earl Aboytes
> >Sent: Friday, June 15, 2001 4:31 PM
> >To: 'Dean, Justin'; 'ccielab@groupstudy.com'
> >Subject: RE: Access-list - Deny TFTP
> >
> >
> >Justin,
> >I think that you are thinking of the trickiness that is involved with
> >blocking traceroute. Traceroute uses udp on a very high port first and
> >then
> >icmp for the rest. Allowing it in one direction but not the other is
>very
> >tricky.
> >Someone correct me if I am wrong but I believe it uses UDP 3000 or higher
> >with a ttl that increases by one each time and then waits for the icmp
> >error
> >to come back.
> >
> >Packet 1 udp port 3001 ttl=1
> >Packet 2 udp port 3002 ttl=2
> >And so forth.
> >
> >
> >
> > -----Original Message-----
> >From: Dean, Justin [mailto:Justin.Dean@nrtinc.com]
> >Sent: Tuesday, June 12, 2001 9:34 AM
> >To: 'ccielab@groupstudy.com'
> >Subject: Access-list - Deny TFTP
> >
> >I am drawing a blank and I can't remember the proper way to block TFTP in
> >an
> >access list. Can someone help me out. Thanks,
> >
> >Justin
> >**Please read:http://www.groupstudy.com/list/posting.html
> >**Please read:http://www.groupstudy.com/list/posting.html
> >**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Michael Bambic: "Help needed for lab access"
• Previous message: Luke: "SNA and Netbios Filters"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3