- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I would like to known how to block a certain ports using intel manageability tool ?
I just did the following steps to block a certain ports for my AMT machine 10.0.3.202
1.Add the new filter
2.entered the following details
name :xxxx
type :ipv4(tcp)
direction :receive(outbound traffic)
profile :statistics drop packets
traffic direction :inbound
ip :10.0.3.229(need to block a http requestfor this ip)
network mask :255.255.255.255
clicked the simple port filter (set the source port : 80 dest port : 100)(this is block the http port right? )
3.created the policy the added the specfic filter
4.activated the policy
But this doesnot works..
I'm able to communicate from AMT machine 10.0.3.202 to 10.0.3.229 through IE(http://10.0.3.129)
please help me out to fix this problem and how can i block a certain port using this intel manageability tool option and also i would like to know about source port range and destination port range ipv4/tcp filters?
Thanks,
Mani
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to be clear, you would like to block http (port 80) traffic from 10.0.3.202? Is it just outgoing http requests or you also want to block incoming http responses too?
Thanks,
AI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to block both outgoing http requests and incoming http responses
I did the following steps to block the incoming http response from 10.0.3.88 machine to my AMT device(10.0.3.202) through simple port method
1.Created the new filter
2.Entered the details as follow
Name :XXX
Type :IPV4(TCP packets)
Direction :receive (Inbound)
Profile :statistics drop packets
Traffic direction : Outbound
Ip address :10.0.3.88
Network mask :255.255.255.255
Click simple port and enter the source port as 443 and destination port as 0.
3.Create a policywith filter and activate the policy
But it doesnt work . Im able to browse https://10.0.3.88 from my AMT machine
For blocking outgoing http request I did following steps
1.Created the new filter
2.Entered the details as follow
Name :XXX
Type :IPV4(TCP packets)
Direction :Transmit (Outbound)
Profile :statistics drop packets
Traffic direction : Inbound
Ip address :10.0.3.88
Network mask :255.255.255.255
Click simple port and enter the source port as 0 and destination port as 443.
3.Create a policy with filter and activate the policy
But it doesnt work . Im able to browse https://10.0.3.88 from my AMT machine
The steps which i did correct or not ?. can you please help me out to fix the problem
and also can you please explain how simple port option will work ?
Thanks,
Mani
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are couple of change that needs to be done to your configuration. Try this:
To block outgoing HTTP requests on port 80:
Name :XXX
Type :IPV4(TCP packets)
Direction :Transmit (Outbound)
Profile :statistics drop packets
Traffic direction : Outbound
Ip address :10.0.3.88
Network mask :255.255.0.0
Clickdestination port rangeand enter the port as80 in both the fields.
You can repeat the same for the inbound HTTP traffic. Let me know if this helps.
Thanks,
AI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ajith Illendula,
Im able to block port 80 using source port range and destination port range. I would like to know how to block port 80 using simple port option for single IP address.
Network mask used is 255.255.0.0 means it will block the ip ranges from 10.0.0.0 to 10.0.255.255.Correct me if Im wrong.
I also noticed one more thing direction and traffic direction needs to be in opposite direction i.e if direction is Transmit (Outbound), then Traffic direction must be inbound, then only filter works. In some cases like the one you mentioned where direction, traffic directions are same and it is working fine. For blocking single IP using IPV4 filter, direction ,traffic direction needs to be opposite, then only filter get matched. Basically we need to set values to
HdrSrcAddress ,HdrSrcMask - for receive (Inbound)
,HdrDestAddress,HdrDestMask - for transmit (Outbound)
Correct me if Im wrong.Can you explain about direction, traffic direction.
Thanks,
Mani
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regards,
Roger
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me try to explain how the system defense feature in Intel AMT works. When you are creating a filter, you can filter based on ethernet frames, IPv4, IPv6 packets, TCP and UDP packets.
We supportboth inbound and outbound filters. So for each filter, you will need to specify whether you are configuring an inbound filter or an outbound filter. The direction field determines this. If you set it as outbound, it is an outbound filter. If you set it as inbound, it is an inbound filter. In summary, all incoming packets are compared against the inbound filters and all outgoing packets are comapred against the outbound filters.
Now after we determined the filter direction, next step is define what to examine in the network packet. This is where we define whether you want to process the Ethernet headers or IPv4 headers or IPv6 or TCP or UDP. Depending on the type of filter you chose, there are additional settings that need to be configured. Let me try to stick to your example of blocking the HTTP traffic. In this case, the type of filter you need to chose is IPV4/TCP packets in the Manageability Commander tool.
For direction, you define whether it is inbound or outbound as explained above.
For profile, you have the options of pass/drop along with statistics pass/drop
Also, here you have an option to log an event when this filter is matched, you can find it in the event log of Intel AMT device.
Now, since we chose TCP packet filter, you will then have to define some additional parameters as it relates to the ports that you want to filter on.
In the TCP filtering, now you have a choice to filter it on src IP address or dst IP address. This is determined by the traffic direction option in the commander tool.
If your filter type is outbound, and the traffic direction is outbound, you are filtering on dst IP address.
If your filter type is outbound, and the traffic direction is inbound, you are filtering onsrc IP address.
If your filter type is inbound, and the traffic direction is outbound, you are filtering onsrc IP address.
If your filter type is inbound, and the traffic direction is inbound, you are filtering on dst IP address.
Depending on your traffic direction, you have to provide the exact IP address and the subnet mask. So for example, if the IP address is 10.0.0.100 and subnet mask is 255.255.255.0, you have to provide these exact values. You cannot provide 255.255.0.0 or 255.255.255.255.
Next comes filtering on ports. Once we have identified the filter type, traffic direction, IP address and subnet mask, we can refine the filter further for the ports that we want to filter on.
You have four choices:
1. No port filtering
2. Simple port filter - where you have to provide exact source filter and destination filter
3. Source port range - range of source port, if both begin and end are same values, itsequivalent tofiltering on one port
4. Destination port range - range of destination ports, if both begin and end are same values, its equivalent to filtering on one port.
Hope this clarifies now how you can configure these settings to fit your need.
In your specific example, problem with simple port filtering is that, you dont always know what port the OS networking stack will as a source port, even though we know that the destination port is 80 or 443. So that is the reason I suggested you to use outbound filter with network direction as outbound and destination port range to use as port 80 (or 443 if using https).
Please let me know if you have more questions.
Thanks,
AI
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page