Wireshark-bugs: [Wireshark-bugs] [Bug 2482] New: Some Wireshark Firewall ACL Rules are off-the-m
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 20 Apr 2008 16:26:08 -0700 (PDT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2482

           Summary: Some Wireshark Firewall ACL Rules are off-the-mark
           Product: Wireshark
           Version: 0.99.6
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: po@xxxxxxxxxxxxx


Build Information:
Version 0.99.6 (SVN Rev 20668)

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.6, with GLib 2.12.9, with libpcap
current-cvs.tcpdump.org.2007.01.04, with libz 1.2.3, with libpcre 6.7, with
Net-SNMP 5.2.1, with ADNS, with Lua 5.1, without GnuTLS, with Gcrypt 1.2.3,
with
MIT Kerberos, without PortAudio, without AirPcap.

Running on Darwin 8.11.1, with libpcap version
current-cvs.tcpdump.org.2007.01.04.

Built using gcc 4.0.1 (Apple Computer, Inc. build 5367).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Some of the firewall rules that Wireshark composes select the wrong direction
and/or port numbers.

For example, a device is using Nessus to scan my network. The goal is  
to use Wireshark to build a Netfilter firewall rule to deny all  
inbound traffic on the eth0 interface from the scanning device. The  
scanning device is 192.168.1.141.

I know Netfilter (iptables) reasonably well. I've also checked with  
other iptables users and they agree with me that the rule should be:

iptables -A INPUT -i eth0 -s 192.168.1.141/32 -j DROP


Wireshark composes this rule:

iptables -A INPUT -i eth0 -d 192.168.1.141/32 -j DROP

That can't be right unless what you're trying to block is traffic  
back to the scanner and eth 0 is on the side of the possible responder.



By the way, for comparison's sake, Wireshark gets it right for other  
types of firewalls. It says a Cisco standard ACL (which is based on  
source addr only) is this:

access-list NUMBER deny host 192.168.1.141

For Cisco extended, where source address comes first, it also gets it  
right:

access-list NUMBER deny ip host 192.168.1.141 any

For ipfw, it gets it right:

add deny ip from 192.168.1.141 to any in



Also, iptables is good for this related situation where we want to  
block the scanner specifically from sending to ports 0 and 443. These  
rules are right:

iptables -A INPUT -p tcp --destination-port 0 -j DROP
and
iptables -A INPUT -p tcp --destination-port 443 -j DROP


But it gets squirrelly again if you include port numbers with Cisco  
extended ACLs, for what it's worth. The wrong direction and port numbers are
selected.

Thanks for looking into this.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.