Solved: Re: Filtering MacOsx traffic (netboot) with acl

Ton V Engelen · ‎04-03-2011

Hi,

this might be a long shot, but maybe someone ran into the same issue.

I m filtering traffic between MacOsx client and MacOsx server with an extended access-list.

Everything works fine except when booting. The MacOsx client wont boot, because it wants to communicate on some random udp port and keeps trying while incrementing the random udp port with 2.

Client ip: 10.10.91.77, server ip: 10.10.90.12

ip helper is configured

When i allow all udp ports and only filter tcp ports, it is working, obviously, because no udp ports are blocked then. When i stick to the list that macosx netboot is using i get this issue and the random udp port incremented by 2. This is the output logging.

Output logging acl:

Apr 2 14:48:36.187: %SEC-6-IPACCESSLOGP: list TEST denied udp 10.10.91.77(47778) -> 10.10.90.12(58915), 1 packet
Apr 2 14:48:41.259: %SEC-6-IPACCESSLOGP: list TEST denied udp 10.10.91.77(47780) -> 10.10.90.12(55478), 1 packet
Apr 2 14:48:46.315: %SEC-6-IPACCESSLOGP: list TEST denied udp 10.10.91.77(47782) -> 10.10.90.12(54641), 1 packet
Apr 2 14:48:51.371: %SEC-6-IPACCESSLOGP: list TEST denied udp 10.10.91.77(47784) -> 10.10.90.12(63614), 1 packet
Apr 2 14:48:56.427: %SEC-6-IPACCESSLOGP: list TEST denied udp 10.10.91.77(47786) -> 10.10.90.12(55421), 1 packet
Apr 2 14:49:01.483: %SEC-6-IPACCESSLOGP: list TEST denied udp 10.10.91.77(47788) -> 10.10.90.12(63681), 1 packet

etc etc...

The acl looks like this, these are the ports that must be allowed between the client and the server according to the MacOsx descriptions

ip access-list extended TEST

    20 permit tcp any host 10.10.90.12 eq 88
    30 permit tcp any host 10.10.90.12 eq 106
    40 permit tcp any host 10.10.90.12 eq 123
    50 permit tcp any host 10.10.90.12 eq 139
    60 permit tcp any host 10.10.90.12 eq 311
    70 permit tcp any host 10.10.90.12 eq 389
    80 permit tcp any host 10.10.90.12 eq 427
    90 permit tcp any host 10.10.90.12 eq 548
    100 permit tcp any host 10.10.90.12 range 600 1023
    110 permit tcp any host 10.10.90.12 eq 2049
    120 permit tcp any host 10.10.90.12 eq 3283
    130 permit tcp any host 10.10.90.12 eq 3659
    140 permit tcp any host 10.10.90.12 eq 4111
    150 permit tcp any host 10.10.90.12 eq 5900
    160 permit tcp any host 10.10.90.12 eq 5432
    170 permit tcp any host 10.10.90.12 eq 5988
    180 permit tcp any host 10.10.90.12 range 8000 8999
    190 permit tcp any host 10.10.90.12 range 49152 65535
    200 permit tcp any host 10.10.90.12 eq sunrpc
    220 permit tcp any 224.0.0.0 0.0.0.255
    230 permit udp any 224.0.0.0 0.0.0.255
    240 permit udp any host 10.10.90.12 eq 88
    245 permit udp any host 10.10.90.12 eq sunrpc
    250 permit udp any host 10.10.90.12 eq 427
    255 permit udp any host 10.10.90.12 eq 989
    260 permit udp any host 10.10.90.12 range 600 1023
    270 permit udp any host 10.10.90.12 eq 2049
    280 permit udp any host 10.10.90.12 eq 3283
    290 permit udp any host 10.10.90.12 eq 3659
    300 permit udp any host 10.10.90.12 eq 5353
    310 permit udp any host 10.10.6.31 eq domain
    320 permit udp any host 10.10.90.12 eq netbios-ns
    330 permit udp any host 10.10.90.12 eq netbios-dgm
    340 permit udp any host 10.10.90.12 eq ntp
    350 permit udp any host 10.10.90.12 eq bootps
    360 permit udp any host 10.10.90.12 eq bootpc
    370 permit udp any host 10.10.90.12 eq tftp
    420 permit icmp any host 10.10.90.12 echo
    430 permit icmp any host 10.10.90.12 echo-reply

If anyone knows how to fix this, maybe by configuring something on the MacOsx client or server?

Thanks in advance!

cadet alain · ‎04-04-2011

Hi Ton,

Yes filtering tftp this way is not the good way, you need a device which can cope with dynamic ports communication like an ASA or use Zone-based firewall on your router and inspect tftp traffic.

But as a fix you can permit udp from client ip subnet to server for udp ,from >1024 to >1024.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎04-04-2011

Hi,

Can you do a debug ip packet detail where acl is only permitting udp between the client and server

also for clarity disable timestamp for debugging: no service timestamp debug

Post the result. I want verify if this is not tftp traffic

Regards.

Alain.

Don't forget to rate helpful posts.

Ton V Engelen · ‎04-04-2011

Hi, Alain

thanks for your reply.

i can do that when i can get another service window (when things aren t so busy at the academy) so i m not sure when i ll be able to do this.

i did permit udp tftp in line 370. You think it might be tftp traffic? I dont know a lot about MacOsx, except that i ve discovered they re very chatty.

Regards,

Ton

cadet alain · ‎04-04-2011

Hi Ton,

i did permit udp tftp in line 370

Yes you permitted traffic to port 69 of tftp server but data transfer is not done from port 69 of server but instead it is advertising a random port number > 1024 to the client which will use this port for transfering data.

http://www.tcpipguide.com/free/t_TFTPGeneralOperationConnectionEstablishmentandClie.htm

Regards.

Alain.

Don't forget to rate helpful posts.

Ton V Engelen · ‎04-04-2011

Hi, Alain

so basicly it would be impossible to filter tftp traffic the way the acl is written now

This could be why the macosx client won t boot.

cadet alain · ‎04-04-2011

Hi Ton,

Yes filtering tftp this way is not the good way, you need a device which can cope with dynamic ports communication like an ASA or use Zone-based firewall on your router and inspect tftp traffic.

But as a fix you can permit udp from client ip subnet to server for udp ,from >1024 to >1024.

Regards.

Alain.

Don't forget to rate helpful posts.

Ton V Engelen · ‎04-04-2011

Hi, Alain

thanks. I ll think ill have to fix it by permitting udp > 1024.

i didn t realize that the tftp data would be denied.

Normally i deny unwanted traffic and permit enything else with acls so this wouldn t be an issue.

But in this case i have no choice.

Another asa would be nice, but i m afraid there s no budget at the moment

Regards

Ton