Topic
  • 5 replies
  • Latest Post - ‏2013-05-15T13:17:25Z by HermannSW
HisNibs
HisNibs
87 Posts

Pinned topic Refuse connection on port address 0

‏2013-05-14T15:42:56Z |

This is probably a network 101.  I understood that the only connections that can be made to the Datapower device is those I define in my service configurations and where I have enabled various management services.  I can confirm this by calling the device using address such as

https://datapower.com:123/

and get a connection refused, which is perfect as there is no defined service listening on that IP and port combination.  However, I can call the following address and get a response

https://datapower.com:0/

I cannot see any configured service in the TCP Summary and would like this connection to refuse as well.  How can I configure this as my security guys are complaining?

  • swlinn
    swlinn
    1395 Posts

    Re: Refuse connection on port address 0

    ‏2013-05-14T15:50:42Z  

    Well, you learn something new every day.  I'd assumed 0 was reserved and not to be used, but google being our friend, I did a searh and found this site https://www.grc.com/port_0.htm which says port 0 is a wild card to tell the target system to choose the port it wishes to choose.  I've no clue how DataPower handles this, but can you tell from the response what service is being invoked?

    Regards,

    Steve

     

  • HisNibs
    HisNibs
    87 Posts

    Re: Refuse connection on port address 0

    ‏2013-05-15T07:53:24Z  
    • swlinn
    • ‏2013-05-14T15:50:42Z

    Well, you learn something new every day.  I'd assumed 0 was reserved and not to be used, but google being our friend, I did a searh and found this site https://www.grc.com/port_0.htm which says port 0 is a wild card to tell the target system to choose the port it wishes to choose.  I've no clue how DataPower handles this, but can you tell from the response what service is being invoked?

    Regards,

    Steve

     

    I cannot tell as I have no defined services (from TCP Port Status table) with a local port set to 0.  I have numerous services in 'listen' status on remote port 0 but I would expect this.  Can you replicate this behaviour on your devices or is this something specific to my configuration?

  • HermannSW
    HermannSW
    5824 Posts

    Re: Refuse connection on port address 0

    ‏2013-05-15T10:17:18Z  
    • HisNibs
    • ‏2013-05-15T07:53:24Z

    I cannot tell as I have no defined services (from TCP Port Status table) with a local port set to 0.  I have numerous services in 'listen' status on remote port 0 but I would expect this.  Can you replicate this behaviour on your devices or is this something specific to my configuration?

    Hi,

    I cannot say what happens, but I can say that nothing reaches DataPower box.

    • did a packet capture on all interfaces
    • sent a request against box with port 0
    • waited until packet capture complete
    • opened Wireshark with the packet capture
    • selected "ip.addr==a.b.c.d" with a.b.c.d being the IP address of my laptop that sent request
    • result: nothing
    • After "real    1m3.065s" the curl statement timed out with message "curl: (7) couldn't connect to host"


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

  • HisNibs
    HisNibs
    87 Posts

    Re: Refuse connection on port address 0

    ‏2013-05-15T12:16:02Z  
    • HermannSW
    • ‏2013-05-15T10:17:18Z

    Hi,

    I cannot say what happens, but I can say that nothing reaches DataPower box.

    • did a packet capture on all interfaces
    • sent a request against box with port 0
    • waited until packet capture complete
    • opened Wireshark with the packet capture
    • selected "ip.addr==a.b.c.d" with a.b.c.d being the IP address of my laptop that sent request
    • result: nothing
    • After "real    1m3.065s" the curl statement timed out with message "curl: (7) couldn't connect to host"


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    • did a packet capture on all interfaces
    • sent a request against box with port 0
    • waited until packet capture complete
    • opened Wireshark with the packet capture
    • selected "ip.addr==a.b.c.d" with a.b.c.d being the IP address of my laptop that sent request
    • result: could see formatted XML request in the packets

    Previous message to port 1 on the device did exactly what I expected as follows:

    Wed May 15 13:11:17 BST 2013:DEBUG:<< "HTTP/1.1 500 Error[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "Content-Type: text/xml;charset=UTF-8[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "X-Backside-Transport: FAIL FAIL[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "Connection: close[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "[\r][\n]"
     

    I have checked all the FSH and mgmt interfaces and none are listening on port 0.  Where else can I check?

  • HermannSW
    HermannSW
    5824 Posts

    Re: Refuse connection on port address 0

    ‏2013-05-15T13:17:25Z  
    • HisNibs
    • ‏2013-05-15T12:16:02Z
    • did a packet capture on all interfaces
    • sent a request against box with port 0
    • waited until packet capture complete
    • opened Wireshark with the packet capture
    • selected "ip.addr==a.b.c.d" with a.b.c.d being the IP address of my laptop that sent request
    • result: could see formatted XML request in the packets

    Previous message to port 1 on the device did exactly what I expected as follows:

    Wed May 15 13:11:17 BST 2013:DEBUG:<< "HTTP/1.1 500 Error[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "Content-Type: text/xml;charset=UTF-8[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "X-Backside-Transport: FAIL FAIL[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "Connection: close[\r][\n]"
    Wed May 15 13:11:17 BST 2013:DEBUG:<< "[\r][\n]"
     

    I have checked all the FSH and mgmt interfaces and none are listening on port 0.  Where else can I check?

    Please do what I responded with.
    You will notice that the request does NOT reach DataPower -- it ends somewhere in network.


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>