Rule for PROTO=139?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Rule for PROTO=139?
@ 2016-09-06 10:58 Walter H.
  2016-09-06 11:20 ` Rob Sterenborg (lists)
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Walter H. @ 2016-09-06 10:58 UTC (permalink / raw)
  To: netfilter

Hello,

does anybody know with which rule I can catch these entries:

[317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
PROTO=139

Thanks,
Walter


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Rule for PROTO=139?
  2016-09-06 10:58 Rule for PROTO=139? Walter H.
@ 2016-09-06 11:20 ` Rob Sterenborg (lists)
  2016-09-06 11:25 ` Andreas Hainke
       [not found] ` <3e24e1f4a88741f0979847f78ef0ecc1@CCDEX021.corp.corpcommon.com>
  2 siblings, 0 replies; 5+ messages in thread
From: Rob Sterenborg (lists) @ 2016-09-06 11:20 UTC (permalink / raw)
  To: Walter H., netfilter

On 2016-09-06 12:58, Walter H. wrote:
> Hello,
>
> does anybody know with which rule I can catch these entries:
>
> [317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
> SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
> PROTO=139

According to my /etc/protocols, protocol 139 is called 'hip' (Host 
Identity Protocol). So, something like

     iptables -A INPUT -i br0 -p 139 -j DROP

or

     iptables -A INPUT -i br0 -p hip -j DROP

See also: man iptables


--
Rob


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Rule for PROTO=139?
  2016-09-06 10:58 Rule for PROTO=139? Walter H.
  2016-09-06 11:20 ` Rob Sterenborg (lists)
@ 2016-09-06 11:25 ` Andreas Hainke
       [not found] ` <3e24e1f4a88741f0979847f78ef0ecc1@CCDEX021.corp.corpcommon.com>
  2 siblings, 0 replies; 5+ messages in thread
From: Andreas Hainke @ 2016-09-06 11:25 UTC (permalink / raw)
  To: Walter H., netfilter


[-- Attachment #1.1: Type: text/plain, Size: 790 bytes --]

Hi Walter,

as far as I know you can use the -p <protocol_number> parameter using
iptables.

iptables -A FORWARD -i br0 -p 139 -j DROP

If you are using nftables

nft add rule <table> <chain> ip protocol 139 drop

should work.

Regards,
Andreas


Am 06.09.2016 um 12:58 schrieb Walter H.:
> Hello,
>
> does anybody know with which rule I can catch these entries:
>
> [317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
> SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
> PROTO=139
>
> Thanks,
> Walter
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <3e24e1f4a88741f0979847f78ef0ecc1@CCDEX021.corp.corpcommon.com>]

* RE: Rule for PROTO=139?
       [not found] ` <3e24e1f4a88741f0979847f78ef0ecc1@CCDEX021.corp.corpcommon.com>
@ 2016-09-06 12:03   ` Walter H.
       [not found]     ` <d563e5c593e3405c8eca5c001b4b25e1@CCDEX021.corp.corpcommon.com>
  0 siblings, 1 reply; 5+ messages in thread
From: Walter H. @ 2016-09-06 12:03 UTC (permalink / raw)
  To: "André Paulsberg-Csibi (IBM Consultant)"
  Cc: netfilter@vger.kernel.org

Hello,

On Tue, September 6, 2016 13:51, AndrÃ© Paulsberg-Csibi (IBM Consultant)
wrote:
> I will only add to the answers that this is not so widely used ,
> that fact that you see this these packets would suggest that
> one unit in your network with MAC 4c:72:b9:56:16:3e is using the HIP
> protocol
> to try to identify hosts within your LAYER 2 BROADCAST domain .

I see;

> You could block it and ignore it , but maybe you would like to find that
> MAC owner and check why it is using HIP .

yes this is my computer and the line came from my router;

> If it is some unit you manage , maybe you can "remove" it at the source
> and save your L2-BC from this traffic all together :-)

yes, of course, but where can I find the piece of software that is doing
this on my computer running WinXP Prof. x64 Ed.;

Thanks,
Walter

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org
> [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Walter H.
> Sent: 6. september 2016 12:59
> To: netfilter@vger.kernel.org
> Subject: Rule for PROTO=139?
>
> Hello,
>
> does anybody know with which rule I can catch these entries:
>
> [317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
> SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
> PROTO=139
>
> Thanks,
> Walter



^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <d563e5c593e3405c8eca5c001b4b25e1@CCDEX021.corp.corpcommon.com>]

* Re: Rule for PROTO=139?
       [not found]     ` <d563e5c593e3405c8eca5c001b4b25e1@CCDEX021.corp.corpcommon.com>
@ 2016-09-06 17:41       ` Walter H.
  0 siblings, 0 replies; 5+ messages in thread
From: Walter H. @ 2016-09-06 17:41 UTC (permalink / raw)
  To: "André Paulsberg-Csibi (IBM Consultant)"
  Cc: netfilter@vger.kernel.org

[-- Attachment #1: Type: text/plain, Size: 1304 bytes --]

On 06.09.2016 14:18, André Paulsberg-Csibi (IBM Consultant) wrote:
> It is long time since I used WinXP , and Win7 - Win8 has passed and now WinX is the only thing
> and most of their "garbage" packages was removed using the parameter in DHCP :
> option netbios-node-type 0x2;
> option wpad code 252 = text;
> option wpad "\n\000";
>
> ( I cannot stop all their garbage , because they need it for their "sharing" tools )
> But DHCP INFORM and HIP and other excessive BC I have not seen in my home for quite some time so I am pretty sure most is gone ...
>
> IF that does not stop it - try to google it , if it is not possible you may just have to live with blocking it ...
>
>
ok due to this at the beginning of iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]


and this  at the end of iptables

-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT

these pakets are already dropped but they are also logged and fill the 
log not neccessarily;

so somewhere between this rule

# Block HIP (Host Identity Protocol): prevent from logging
-A INPUT -i br0 -p hip -j REJECT

keeps from logging

Thanks,
Walter




[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3827 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-09-06 17:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-06 10:58 Rule for PROTO=139? Walter H.
2016-09-06 11:20 ` Rob Sterenborg (lists)
2016-09-06 11:25 ` Andreas Hainke
     [not found] ` <3e24e1f4a88741f0979847f78ef0ecc1@CCDEX021.corp.corpcommon.com>
2016-09-06 12:03   ` Walter H.
     [not found]     ` <d563e5c593e3405c8eca5c001b4b25e1@CCDEX021.corp.corpcommon.com>
2016-09-06 17:41       ` Walter H.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox