Network filter to block specific port

Network filter to block specific port

hi,

I would like to known how to block a certain ports using intel manageability tool ?

I just did the following steps to block a certain ports for my AMT machine 10.0.3.202

1.Add the new filter

2.entered the following details

name :xxxx

type :ipv4(tcp)

direction :receive(outbound traffic)

profile :statistics drop packets

traffic direction :inbound

ip :10.0.3.229(need to block a http requestfor this ip)

network mask :255.255.255.255

clicked the simple port filter (set the source port : 80 dest port : 100)(this is block the http port right? )

3.created the policy the added the specfic filter

4.activated the policy

But this doesnot works..

I'm able to communicate from AMT machine 10.0.3.202 to 10.0.3.229 through IE(http://10.0.3.129)

please help me out to fix this problem and how can i block a certain port using this intel manageability tool option and also i would like to know about source port range and destination port range ipv4/tcp filters?

Thanks,
Mani

7 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hi Mani,
Just to be clear, you would like to block http (port 80) traffic from 10.0.3.202? Is it just outgoing http requests or you also want to block incoming http responses too?

Thanks,
AI

Hi,

I would like to block both outgoing http requests and incoming http responses

I did the following steps to block the incoming http response from 10.0.3.88 machine to my AMT device(10.0.3.202) through simple port method

1.Created the new filter

2.Entered the details as follow

Name :XXX

Type :IPV4(TCP packets)

Direction :receive (Inbound)

Profile :statistics drop packets

Traffic direction : Outbound

Ip address :10.0.3.88

Network mask :255.255.255.255

Click simple port and enter the source port as 443 and destination port as 0.

3.Create a policywith filter and activate the policy

But it doesnt work . Im able to browse https://10.0.3.88 from my AMT machine

For blocking outgoing http request I did following steps

1.Created the new filter

2.Entered the details as follow

Name :XXX

Type :IPV4(TCP packets)

Direction :Transmit (Outbound)

Profile :statistics drop packets

Traffic direction : Inbound

Ip address :10.0.3.88

Network mask :255.255.255.255

Click simple port and enter the source port as 0 and destination port as 443.

3.Create a policy with filter and activate the policy

But it doesnt work . Im able to browse https://10.0.3.88 from my AMT machine

The steps which i did correct or not ?. can you please help me out to fix the problem

and also can you please explain how simple port option will work ?

Thanks,

Mani

Hi Mani,
There are couple of change that needs to be done to your configuration. Try this:

To block outgoing HTTP requests on port 80:

Name :XXX

Type :IPV4(TCP packets)

Direction :Transmit (Outbound)

Profile :statistics drop packets

Traffic direction : Outbound

Ip address :10.0.3.88

Network mask :255.255.0.0

Clickdestination port rangeand enter the port as80 in both the fields.

You can repeat the same for the inbound HTTP traffic. Let me know if this helps.

Thanks,
AI

Hi Ajith Illendula,

Im able to block port 80 using source port range and destination port range. I would like to know how to block port 80 using simple port option for single IP address.

Network mask used is 255.255.0.0 means it will block the ip ranges from 10.0.0.0 to 10.0.255.255.Correct me if Im wrong.

I also noticed one more thing direction and traffic direction needs to be in opposite direction i.e if direction is Transmit (Outbound), then Traffic direction must be inbound, then only filter works. In some cases like the one you mentioned where direction, traffic directions are same and it is working fine. For blocking single IP using IPV4 filter, direction ,traffic direction needs to be opposite, then only filter get matched. Basically we need to set values to

HdrSrcAddress ,HdrSrcMask - for receive (Inbound)

,HdrDestAddress,HdrDestMask - for transmit (Outbound)

Correct me if Im wrong.Can you explain about direction, traffic direction.

Thanks,
Mani

Please remember that the filter is looking at the fields of the packet itself. The Src address filter will look at the Src field of the header. The Dst address will be compared to the Dst field of the header. This will be for any packet whether it is coming or going. Don't think about the filter as for incoming or outgoing traffic. Just think about what fields you need to compare to.

Regards,
Roger

Hi Mani,
Let me try to explain how the system defense feature in Intel AMT works. When you are creating a filter, you can filter based on ethernet frames, IPv4, IPv6 packets, TCP and UDP packets.

We supportboth inbound and outbound filters. So for each filter, you will need to specify whether you are configuring an inbound filter or an outbound filter. The direction field determines this. If you set it as outbound, it is an outbound filter. If you set it as inbound, it is an inbound filter. In summary, all incoming packets are compared against the inbound filters and all outgoing packets are comapred against the outbound filters.

Now after we determined the filter direction, next step is define what to examine in the network packet. This is where we define whether you want to process the Ethernet headers or IPv4 headers or IPv6 or TCP or UDP. Depending on the type of filter you chose, there are additional settings that need to be configured. Let me try to stick to your example of blocking the HTTP traffic. In this case, the type of filter you need to chose is IPV4/TCP packets in the Manageability Commander tool.

For direction, you define whether it is inbound or outbound as explained above.
For profile, you have the options of pass/drop along with statistics pass/drop
Also, here you have an option to log an event when this filter is matched, you can find it in the event log of Intel AMT device.

Now, since we chose TCP packet filter, you will then have to define some additional parameters as it relates to the ports that you want to filter on.
In the TCP filtering, now you have a choice to filter it on src IP address or dst IP address. This is determined by the traffic direction option in the commander tool.
If your filter type is outbound, and the traffic direction is outbound, you are filtering on dst IP address.
If your filter type is outbound, and the traffic direction is inbound, you are filtering onsrc IP address.
If your filter type is inbound, and the traffic direction is outbound, you are filtering onsrc IP address.
If your filter type is inbound, and the traffic direction is inbound, you are filtering on dst IP address.

Depending on your traffic direction, you have to provide the exact IP address and the subnet mask. So for example, if the IP address is 10.0.0.100 and subnet mask is 255.255.255.0, you have to provide these exact values. You cannot provide 255.255.0.0 or 255.255.255.255.

Next comes filtering on ports. Once we have identified the filter type, traffic direction, IP address and subnet mask, we can refine the filter further for the ports that we want to filter on.

You have four choices:
1. No port filtering
2. Simple port filter - where you have to provide exact source filter and destination filter
3. Source port range - range of source port, if both begin and end are same values, itsequivalent tofiltering on one port
4. Destination port range - range of destination ports, if both begin and end are same values, its equivalent to filtering on one port.

Hope this clarifies now how you can configure these settings to fit your need.

In your specific example, problem with simple port filtering is that, you dont always know what port the OS networking stack will as a source port, even though we know that the destination port is 80 or 443. So that is the reason I suggested you to use outbound filter with network direction as outbound and destination port range to use as port 80 (or 443 if using https).

Please let me know if you have more questions.

Thanks,
AI

Leave a Comment

Please sign in to add a comment. Not a member? Join today