As the bulk of the entries were generated by outgoing packets from a web
server and were related to access-list 100 (my NAT-pool ACL), I added
access-list 100 permit host *** eq 80 any
for each web server and no longer get any (ACL 100) port 0 log entries (from
my web servers).
> Terry Lee Moore wrote:
> >
> > > Date: Wed, 19 Jul 2000 13:58:32 -0500
> > > From: "Gary Maltzen" <[EMAIL PROTECTED]>
> > > Subject: denying tcp/0
> >
> > > I keep seeing (and denying) tcp packets with both source and
> > destination
> > > port zero; can somebody tell me what purpose these serve?
> >
> > Gary,
> > tcp port 0 on a Cisco router is a bug.
>
> Ah, somebody else has seen this too :)
>
> I had to specifically allow port 0 to get some applications and
> systems working...primarily those associated with RPC. This even
> though I had tcp port specific filtering rules in the access list.
>
> Back to the original question:
>
> I've seen people mention that scanners like nmap use the slightly
> different responses to port 0 connection attempts to identify
> operating systems.
>
> > And finally, another example from Cisco:
> >
> > > Here are some other examples:
> >
> > > access-list 111 permit tcp any gt 0 any gt 0 log
> > > access-list 111 permit udp any gt 0 any gt 0 log
> > > access-list 111 permit ip any any 0 log
>
> I'd limit this to only the applications and systems that need it.
> Blanket permits make me nervous...particularly when associated with
> a bug. :)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
