Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
RDP is defaulting to COTP???
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Hell-Razor
Guru
Guru


Joined: 10 Jun 2004
Posts: 458

PostPosted: Wed Feb 20, 2019 3:16 pm    Post subject: RDP is defaulting to COTP??? Reply with quote

Just looking for a little bit of help here, I am clueless and have tried many, many different things so I may miss something. Ill be online most of today checking this so feel free to ask questions or hop into irc to chat.

Anyway this is the situation: I can VPN into my network and authenticate just fine. But as soon as I try to RDP into my desktop, the firewall shoots me down. I am going into port 3389 (rdp) and have tried rdesktop-1.8.4-r1, remmina-1.3.2, freerdp-2.0.0_rc4. If I poke a hole to allow my traffic, the traffic is identified as COTP and not RDP. The firewall is shooting me down on the VERY FIRST packet instead of trying to identify what the protocol is -- that is the reason why I am getting denied. I dont see any malformed packets in tcpdump but upon inspection of a working machine pcap and this machine pcap the only obvious difference is the header length (which may be enough). Many other people are also using Remmina, not all different versions, some are using 1.3.2 as well. If I go to their machine, I can get into my desktop just fine. most of them are using Ubuntu and I have spent a lot of time rolling versions back with no luck.

Here is my emerge --info: https://paste.pound-python.org/show/16LSzKMEuc7pEvs6xhHn/
Here is my kernel config: https://paste.pound-python.org/show/aWmnUAJPSDjVmPxLFpag/
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.
Back to top
View user's profile Send private message
Hell-Razor
Guru
Guru


Joined: 10 Jun 2004
Posts: 458

PostPosted: Wed Mar 06, 2019 8:06 pm    Post subject: Reply with quote

Been looking pretty hard into this and still cant find a reason to whats going on.
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14056

PostPosted: Thu Mar 07, 2019 2:24 am    Post subject: Reply with quote

What identifies the traffic as COTP? If you enable debugging, what does it show for why it classifies this as COTP? What does it show for why it classifies other people's traffic as RDP? Have you tried replaying the opening handshake of the good client from your machine to a target RDP server to see how the firewall classifies that?
Back to top
View user's profile Send private message
Hell-Razor
Guru
Guru


Joined: 10 Jun 2004
Posts: 458

PostPosted: Thu Mar 07, 2019 2:52 am    Post subject: Reply with quote

Hu wrote:
What identifies the traffic as COTP? If you enable debugging, what does it show for why it classifies this as COTP? What does it show for why it classifies other people's traffic as RDP? Have you tried replaying the opening handshake of the good client from your machine to a target RDP server to see how the firewall classifies that?


Once I poke a hole in the firewall and the handshake is allowed to complete, the packet is then identified as "cotp".

Debugging in what way?

I have tested several other os distributions, the firewall sees all them as rdp.

I tried replaying everything, something in Gentoo is skewing the first packet to the point where the firewall thinks its not rdp. What that is exactly I do not know, which is why I am trying to reach out here.
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14056

PostPosted: Thu Mar 07, 2019 5:00 am    Post subject: Reply with quote

Yes, I understood from your first post that some as-yet-unidentified firewall is misclassifying this traffic. What firewall is this? When you enable debugging on that firewall, what does it say about its decisions?
Back to top
View user's profile Send private message
Hell-Razor
Guru
Guru


Joined: 10 Jun 2004
Posts: 458

PostPosted: Thu Mar 07, 2019 2:03 pm    Post subject: Reply with quote

Hu wrote:
Yes, I understood from your first post that some as-yet-unidentified firewall is misclassifying this traffic. What firewall is this? When you enable debugging on that firewall, what does it say about its decisions?
Its a palo alto firewall, and the debug just says unknown application.

Whats strange though is I dont think its a firewall problem as people that also use openconnect and remmina (what I am using) are getting through.
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14056

PostPosted: Fri Mar 08, 2019 3:37 am    Post subject: Reply with quote

How can it not be a firewall problem, when the firewall is classifying similar applications differently, then failing or allowing them based on its classifications? You may need to increase debug verbosity and trace its classifier in more detail to see where exactly it decides that one stream is RDP and the other is COTP.
Back to top
View user's profile Send private message
Hell-Razor
Guru
Guru


Joined: 10 Jun 2004
Posts: 458

PostPosted: Fri Mar 08, 2019 2:08 pm    Post subject: Reply with quote

Hu wrote:
How can it not be a firewall problem, when the firewall is classifying similar applications differently, then failing or allowing them based on its classifications? You may need to increase debug verbosity and trace its classifier in more detail to see where exactly it decides that one stream is RDP and the other is COTP.
Its not a firewall problem because the firewall is doing its job, not allowing a policy or rule we dont allow. If I spin up a VM of Ubuntu I can get through on this machine AND of the 30+ people getting through, none are having this problem.
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14056

PostPosted: Sat Mar 09, 2019 2:14 am    Post subject: Reply with quote

Is your policy not to allow RDP? If so, then what are you trying to achieve here? If not, then it looks to be a firewall problem: it is classifying your RDP traffic as non-RDP, then blocking you for using what it things is not RDP. I thought the point of this thread was to get the firewall to recognize your traffic as RDP so that it would allow you in.
Back to top
View user's profile Send private message
Hell-Razor
Guru
Guru


Joined: 10 Jun 2004
Posts: 458

PostPosted: Sat Mar 09, 2019 2:32 am    Post subject: Reply with quote

Hu wrote:
Is your policy not to allow RDP? If so, then what are you trying to achieve here? If not, then it looks to be a firewall problem: it is classifying your RDP traffic as non-RDP, then blocking you for using what it things is not RDP. I thought the point of this thread was to get the firewall to recognize your traffic as RDP so that it would allow you in.


Yes, the policy is allowing RDP. I am trying to figure out what is it on Gentoo that is skewing the packet when the same VPN and RDP work on several other Linux distributions. The firewall is working as it's supposed to, something on my system is off.

Again if I allow COTP then I can get through. I let the rule go, logging for almost two weeks and my box is the only one hitting it from hundreds of others. Gentoo has something somewhere forcing me protocol to COTP.
_________________
Don't ever tell anybody anything. If you do, you start missing everybody.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum