Re: Block port 4444

gmcmanus93 · ‎08-12-2003

Sorry to sound elementary but I am using pix "classic" and want to block all incoming traffic using port 4444. The IOS ver is old 5.2(6)which uses conduit statments and not ACLS. Can I use command such as conduit deny ip port 4444 any any. Thanks in advance. I wanted to block this port to stop the Blaster worm from proliferation. Again, Thanks.

mostiguy · ‎08-12-2003

You can use access-lists on 5.2(6). It is not recommended to use them with conduits on the same interface, but I prefer using acl's than the "outbound" command.

Note that you cannot use port with "ip" - ip has no port nomenclature - tcp and udp do, but icmp and esp don't.

access-list outbound deny tcp any any eq 4444

access-list outbound deny udp any any eq 4444

access-list outbound permit ip any any

There is your acl - 2 commands that block all tcp and udp outbound to port 4444, and a 3rd command that permits everything else

access-group outbound in interface inside

Applies the "outbound" acl we just created to the inside direction of the inside interface - remember, this means that the acl is processed on packets going "in" to the inside interface - into the pix, and going out, which is exactly what we seek

jackko · ‎08-12-2003

all incoming traffic should be blocked by default. wondering why do u wanna do that.

gmcmanus93 · ‎08-13-2003

thanks. I wanted to be sure that port was closed because reportedly the blaster worm used that port. I do understand that it should be closed by default but I wanted to be certain by including a denial statement. Again, Thanks. I used statement "conduit deny tcp any any eq 4444" instead of acls because the router uses conduit statements and I didnt want to mix them with acls. Do you see any possible issues with that?

kcook · ‎08-15-2003

With a properly configured firewall, setting up specific filters to prevent traffic to "listening ports" like 4444 is unnecessary. A properly configured firewall will have the list of Address/Port combinations defining what traffic is allowed in unsolicited from the outside - all unsolicited traffic not matching that list is dropped. (By "unsolicited" I mean packets that are not part of a data flow initiated from inside your network.) Since the IP address and listening port on the compromised machine will not be in the firewall's list, the exploit packets will not reach it.

If a PC in your network is compromised by a virus that initiates a session out to a hacker machine, it is unlikely that there will be a specific port to block to prevent traffic returning from the hacker. The initiating PC will be able to select randomly from thousands of port numbers for the one it will use to accept the return traffic. That's the normal way TCP and UDP work.

danderson · ‎08-15-2003

Here's what I entered:

access-list 102 deny tcp any any eq 135

access-list 102 deny udp any any eq 135

access-list 102 permit ip any any

access-group 102 in interface outside.

This seems to block the worm but it seems to have caused problems with my VPN. My VPN users can now connect to the network but they can't map any network drives or access anything on the network. Did I type something in wrong?

Thanx.

jmia · ‎08-15-2003

Hi -

Please read the following advisory release from Cisco:

http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml

Thanks - Jay

gmcmanus93 · ‎08-15-2003

I am aware of that. Thank you. I needed assistance with blocking a single port with an older IOS using conduit statements. I did understand that the ports were not open unless explicitly given the right but thanks for the additional information.