• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: "unidentified ip traffic"

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: "unidentified ip traffic" Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: "unidentified ip traffic" - 9.Apr.2005 11:11:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline
Well these 224.0.0.x multicasts aren't coming in - they're going OUT from WinXP and Win2K3 boxes here, but being blocked because of port 0 (unknown port). Class D I thought was NASA? Guess I was wrong - but it appears to be routeable? Where is this going? What's broadcasting it? Any ideas? Thanks a million for all your help!

(in reply to slemay)
Post #: 21
RE: "unidentified ip traffic" - 10.Apr.2005 1:07:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

an excerpt from the "Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference" book:
quote:
IP multicast provides an efficient one-to-many delivery service. To achieve one-to-many delivery using IP unicast traffic, each datagram needs to be sent multiple times. To achieve one-to-many delivery using IP broadcast traffic, a single datagram is sent, but all nodes process it, even those that are not interested. Broadcast delivery service is unsuitable for internetworks, as routers are designed to prevent the spread of broadcast traffic. With IP multicast, a single datagram is sent and forwarded across routers only to the network segments containing nodes that are interested in receiving it.

Historically, IP multicast traffic has been little utilized. However, recent developments in audio and video teleconferencing, distance learning, and data transfer to a large number of hosts have made IP multicast traffic more important.

All multicast traffic is sent to a class D address in the range 224.0.0.0 through 239.255.255.255 (224.0.0.0/4). All traffic in the range 224.0.0.0 through 224.0.0.255 (224.0.0.0/24) is for the local subnet and is not forwarded by routers. Multicast-enabled routers forward multicast traffic in the range 224.0.1.0 through 239.255.255.255 with an appropriate Time to Live (TTL).

HTH,
Stefaan

(in reply to slemay)
Post #: 22
RE: "unidentified ip traffic" - 10.Apr.2005 3:17:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Shawn,
Looks like Stefaan answered your question about multicast. My comment about "shit coming at you from the outside" was not intended to suggest that the multicast was coming from the outside. I did read your comment "(source is Internal)". [Roll Eyes]

It was a general comment, hence my use of the term "Basically", that I subscribe to and not just from outside to inside. You should not be opening up traffic you do not have good reason to, especially when you do not fully understand what the traffic is and does.

I still don't understand your inclination and joy in being able to ping. Ping is EVIL and should be blocked. That is why MS buried it in the system policy!

You seem to driven by a desire to eliminate as much of the last "default" rule blocked entries in your log, as if they are a bad thing. They are not bad, but rather GOOD... evidence that the firewall is doing what it is intended to do. After you have the firewall working the way you want, if you are wanting to reduce the log entries, you can define a "Next to Last" deny rule that does not log, and enable/disable it as needed. Before anyone thinks about flaming me for the suggestion, I do understand the implication of not logging. To each his own.

(in reply to slemay)
Post #: 23
RE: "unidentified ip traffic" - 10.Apr.2005 5:56:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi LLigetfa,

I fully agree! Creating a "Next to Last" deny rule that does not log stuff you don't want to support should be standard practice. [Cool]

HTH,
Stefaan

(in reply to slemay)
Post #: 24
RE: "unidentified ip traffic" - 10.Apr.2005 6:13:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Look Ma, no flames! [Big Grin]

Thanks,

Les

BTW, what does it take to get any stars on this board? 134 posts to date of mostly good (IMHO) advice and I still don't have any stars. [Frown]

(in reply to slemay)
Post #: 25
RE: "unidentified ip traffic" - 10.Apr.2005 6:30:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Les,

I wish I knew. I think it depends on how many people voted on you. Looking at your profile, two people have done that so far and I was one of them (just done it). [Wink]

Stefaan

[ April 10, 2005, 06:31 PM: Message edited by: spouseele ]

(in reply to slemay)
Post #: 26
RE: "unidentified ip traffic" - 10.Apr.2005 6:39:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
My Rating now:
Total Votes 2
Weighted Score 3.70

It's a good start [Cool]

Thanks

(in reply to slemay)
Post #: 27
RE: "unidentified ip traffic" - 10.Apr.2005 6:46:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline
As far as I see - you both have stars! [Smile] and I'll add to that! [Smile] I like the idea about dropping the logging as a next to last rule - good suggestion. As for pinging - how else do you troubleshoot cheap connections!??! When you can get a 6mbps / 768kbps for $100 a month (or soon to be 15mbps / 2mpbs for $50 from a competitor) - I have to be able to do traceroutes and pings to see what's going on and why things just don't work. The days of spending $2000 a month for a T1 line which worked 99% of the time are over. Now it's $100 a month and at least once or twice a month things aren't working up to par... it's the price of speed these days! [Smile]

(in reply to slemay)
Post #: 28
RE: "unidentified ip traffic" - 10.Apr.2005 7:05:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Thank you for your vote. Instead of allowing ping, take a look in the manual for "Configure connectivity verifiers". You can even get it to email you when the connection goes down.

Ping is just ping... I don't understand why ppl put so much stock in it. It's like checking for a pulse. You can be passed out drunk and still have a pulse.

(in reply to slemay)
Post #: 29
RE: "unidentified ip traffic" - 10.Apr.2005 7:17:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline
True - Ping is just ping for a heartbeat - and yes - I do have some connectivity verifiers already running. But traceroutes rely on pings thus the two go together, and when trying to isolate a problem - one needs to trace where the problem is coming from.

(in reply to slemay)
Post #: 30
RE: "unidentified ip traffic" - 10.Apr.2005 7:51:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

if you have some ping connectivity verifiers configured, then that means that the system policy rule #11 is enabled. That system policy rule should also allow tracert from ISA server itself.

If that isn't enough you can always create a custom access rule to allow ping/tracert from a particular internal host for diagnostic purposes and enable/disable that rule when needed.

HTH,
Stefaan

(in reply to slemay)
Post #: 31
RE: "unidentified ip traffic" - 10.Apr.2005 7:58:00 PM   
slemay

 

Posts: 17
Joined: 3.Mar.2005
Status: offline
Stefaan,
I'm all set - all is working well now. I've got some other issues, but I'm going on vacation on Tuesday for 12 days - and I've got Tom's new book for ISA2K4, so I'm going to study it a little bit to see if I can figure them out before I post anything else. Thanks again,
Shawn

(in reply to slemay)
Post #: 32
RE: "unidentified ip traffic" - 10.Apr.2005 8:03:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Shawn,

oh... well I wish you then a nice vacation. [Cool]

Stefaan

(in reply to slemay)
Post #: 33

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: "unidentified ip traffic" Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts