Disable 'block all other UDP packets'

Discussion in 'LnS English Forum' started by shadek, Apr 30, 2010.

Thread Status:
Not open for further replies.
  1. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    This is indeed excellent news whitedragon551! Just ensure the first two fields always does ethernet type and IP protocol matchings. Field #2 onwards is where you always want to begin specifying IP addresses and ports and whatever else. ;)
     
  2. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    On my LnS rules that I created with the Raw.dll: field 0 is eth and 2048 for port, field 1 is eth and 6 for the port for all the rules. Are those defaults or something?
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well folks I wonder... wouldn't it be a lot easier to just attach the rules here (rename as TXT or whatever so that it lets you) so that someone else can work on them and fix them or whatever? Instead of describing in zillion steps where to click. o_O
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    I already thought about doing that from the beginning, but I thought some wouldn’t mind getting a little dirty and possibly learn a little something and being little more self-sufficient in this manner. Anyways, not for the faint of heart ... I guess that means you excluded. :p

     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    field identifier (0 to 15), field identifier 0 and 1 isn’t used for port matching, used to specify ethernet type (like IPv4) and IP protocol (like UDP) matchings.

     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, I'm not gaming, I only d/l pr0n :p

    Anyway, that'd be useful even once the problem is solved so that others can recycle the rules for their use.
     
  7. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Hi Phant0m,

    I have a question about RAW rule - what excatly do numbers next to Inbound and Outbound fields mean? It's bytes or what? How to set this numbers properly?
     

    Attached Files:

  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Short answer: They are the offset position of the information(data) to be checked in the packet. To understand you would need to capture some packets and check the offsets.

    I dont have time at the moment for a detailed reply. I will try to find time later if your question is still unanswered fully, however, I think this question should be in its own thread.

    - Stem
     
  9. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Hi Stem,

    do you mean "Frag. Offset" field in this window?
     

    Attached Files:

    • raw4.png
      raw4.png
      File size:
      16.3 KB
      Views:
      143
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Hi Creer,

    Stem isn’t talking about specific type of information, any information in the packet header can be matched using their offsets. Ethernet type, IP protocol, source IP, destination IP, source port, destination port and so on...
     
  11. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    OK, I understand that in RAW editing mode the field size allows setting the number of bytes (1 to 6) of the field and it depends on Type in Field Offset:
    for ETH and TCP - it's 2 bytes
    for MAC - it's 6 bytes
    and for IP - it's 4 bytes.

    I also understand that for some instances of ETH/IP type in Value (Value1/2) field we should use this table: http://www.iana.org/assignments/ethernet-numbers
    I've also read this post made by Frederic:
    https://www.wilderssecurity.com/showpost.php?p=193819&postcount=3
    where he said:
    But I still don't know how to connect this image with number next to inbound/outbound offset field o_O
    So where will be finally 0 position/out and 6 position/in on image of data packet?
     
    Last edited: May 5, 2010
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Actually, to match IP protocol the field size is 1byte.

    “- position type: ETH, position is 0 for UL, position is 6 for DL” .. look at the orange section. Inside the yellow, 0 is Ether destination. :)
     
  13. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    "Actually, to match IP protocol the field size is 1byte." - Thanks for that didn't know.

    OK I know where is position 0 but where will be position 6 for DL?
    Where will be position 8 for UL and DL for IP protocol or where will be position 4 for UL and 0 for DL for TCP?
    Does that fileds somehow limited to the number or I can write there any number?
    Under these images i can see 32 bits scale so does the numbers next to In/Out offset field position refer to this?
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Creer,

    As I mentioned, it will be easier for you to look at some captured packets.

    Here is an example:-

    This is an outbound connection (as shown in Wireshark) SYN packet

    01.png

    If you select the Ethernet field it will show you the packet field length and data

    02.png

    If you open that field, the first entry is the destination MAC address (first 6 bytes)

    03.png

    The next entry in that field is the source MAC address, which is offset from the start of the Eth field by 6 bytes.

    04.png

    The last 2 bytes in that field are the Type.

    05.png .


    - Stem
     
    Last edited: May 5, 2010
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    cont`

    This is the SYN ACK reply to that outbound connection.

    08.png

    Now, because this is a reply, You will note that the destination MAC address (in the outbound packet) is now the source.
    So when creating a rule to check the Eth field for MAC address, on the outbound packet you check "ETH offset 0" but in the reply, you need to check for that MAC address at "ETH offset 6"


    - Stem
     
    Last edited: May 5, 2010
  16. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Thank you Stem for your great informative and outstanding reply - I think I finally got it but to be sure I've prepared next configuration for IP and TCP field for SYN ACK reply If I made mistake please correct me.

    1. IP - length
    ip1.png

    IP - source
    ip2s.png

    IP - destination
    ip3d.png

    For LnS RAW rule it will be:
    Inbound: 12
    Outbound: 16



    2. TCP - lenght
    tcp.png

    TCP - source
    tcp1s.png
     
  17. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    cont.


    TCP - destination
    tcp2d.png

    For LnS RAW rule it will be:
    Inbound: 0
    Outbound: 2


    Am I right?
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    I want to see you make an single raw rule to accept incoming TCP packets matching TCP Flags ‘ACK+SYN’, source-IP & port and temp-range for destination ports. Use your first image in your previous post for source-IP & port information. :shifty:
     
  19. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    It will be not so easy I thought but I can try anyway so here is my rules:
     

    Attached Files:

    Last edited: May 6, 2010
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    You’re such a cheat! LOL! You created an standard rule and converted it over! :p

    You are also missing two additional fields and images. :)
     
  21. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    No I don't and I didn't create an standard rule as you said.
    I can explain every single field in my rules:
    on first screen ETH > Fields offset (12 for DL and 12 for UL) means Type of ETH, value in value field 2048 is decimal value (hex 0800) for IPv4.
    Here I was thinking about change EQUAL_VALUE1 to EQUAL_VALUE1OR2 because of 34525 decimal value (86DD hex) for IPv6.

    On second screen IP > Field offset (9 for DL and 9 for UL) means Protocol and 6 is a decimal value of this TCP protocol (0x06 hex)
    Here I also was thinking about change value: EQUAL_VALUE1 to EQUAL_VALUE1OR2 and in second value field put 17 decimal number because of UDP protocol...

    On the third screen IP > Field offset (12 for DL and 16 for UL) means source and destination IP adress, value field is set for IP the connection is incoming.

    About last one I'm not sure about ports range - is it correct?
    Which fields I missed?
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    lol!

    You did it right. :)
     
  23. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    ... ;)
     
  24. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Wow I didn't expected that this is correct... I'm in shock.. probably it's called beginner luck.

    I'm just curious about which (missing two additional) fields you are talking about?

    Your task/excercise just remember me old times when you did here on LnS forum Quiz connected with LnS rules :)


    "matching TCP Flags ‘ACK+SYN’, source-IP & port"

    Is it correct? I don't know how create last one rule...
     

    Attached Files:

    • raw5.png
      raw5.png
      File size:
      21.7 KB
      Views:
      117
    Last edited: May 6, 2010
  25. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    One down.. :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.