UDP packets are dropped by the PIX

Hi ,

My PIX 535 firewall is dropping UDP packets, when I make the UDP sessions. I have a global PAT address assigned for the Inside users. The are less than 1000 users in the insside network. Any Idea what could be the cause ??? All TCP sessions are working fine

Reply to
Loading thread data ...

Washington's & Israel's fingerprints, are all over Karl Rove's White House " Murder Inc." . + [ Special Analysis , "sic" ] - "UMBRA". -


formatting link
By Wayne Madsen. Online Journal Contributing Writer.

Special Investigation.

DEC , 2005- On September 15, 2001, just four days after the 9-11 attacks, CIA Director George Tenet provided President [sic] Bush with a Top Secret "Worldwide Attack Matrix"-a virtual license to kill targets deemed to be a threat to the United States in some 80 countries around the world. The Tenet plan, which was subsequently approved by Bush, essentially reversed the executive orders of four previous U.S. administrations that expressly prohibited political assassinations.

According to high level European intelligence officials, Bush's counselor, Karl Rove, used the new presidential authority to silence a popular Lebanese Christian politician who was planning to offer irrefutable evidence that Israeli Prime Minister Ariel Sharon authorized the massacre of hundreds of Palestinian men, women, and children in the Beirut refugee camps of Sabra and Shatilla in 1982. In addition, Sharon provided the Lebanese forces who carried out the grisly task. At the time of the massacres, Elie Hobeika was intelligence chief of Lebanese Christian forces in Lebanon who were battling Palestinians and other Muslim groups in a bloody civil war. He was also the chief liaison to Israeli Defense Force (IDF) personnel in Lebanon. An official Israeli inquiry into the massacre at the camps, the Kahan Commission, merely found Sharon "indirectly" responsible for the slaughter and fingered Hobeika as the chief instigator.

The Kahan Commission never called on Hobeika to offer testimony in his defense. However, in response to charges brought against Sharon before a special war crimes court in Belgium, Hobeika was urged to testify against Sharon, according to well-informed Lebanese sources. Hobeika was prepared to offer a different version of events than what was contained in the Kahan report. A 1993 Belgian law permitting human rights prosecutions was unusual in that non-Belgians could be tried for violations against other non-Belgians in a Belgian court. Under pressure from the Bush administration, the law was severely amended and the extra territoriality provisions were curtailed.

Hobeika headed the Lebanese forces intelligence agency since the mid- 1970s and he soon developed close ties to the CIA. He was a frequent visitor to the CIA's headquarters at Langley, Virginia. After the Syrian invasion of Lebanon in 1990, Hobeika held a number of cabinet positions in the Lebanese government, a proxy for the Syrian occupation authorities. He also served in the parliament. In July 2001, Hobeika called a press conference and announced he was prepared to testify against Sharon in Belgium and revealed that he had evidence of what actually occurred in Sabra and Shatilla.

Hobeika also indicated that Israel had flown members of the South Lebanon Army (SLA) into Beirut International Airport in an Israeli Air Force C130 transport plane, in full view of dozens of witnesses, including members of the Lebanese army and others. SLA troops under the command of Major Saad Haddad were slipped into the camps to commit the massacres. The SLA troops were under the direct command of Ariel Sharon and an Israeli Mossad agent provocateur named Rafi Eitan. Hobeika offered evidence that a former U.S. ambassador to Lebanon was aware of the Israeli plot. In addition, the IDF had placed a camera in a strategic position to film the Sabra and Shatilla massacres. Hobeika was going to ask that the footage be released as part of the investigation of Sharon.

After announcing he was willing to testify against Sharon, Hobeika became fearful for his safety and began moves to leave Lebanon. Hobeika was not aware that his threats to testify against Sharon had triggered a series of fateful events that reached well into the White House and Sharon's office. On January 24, 2002, Hobeika's car was blown up by a remote controlled bomb placed in a parked Mercedes along a street in the Hazmieh section of Beirut.

The bomb exploded when Hobeika and his three associates, Fares Souweidan, Mitri Ajram, and Waleed Zein, were driving their Range Rover past the TNT-laden Mercedes at 9:40 am Beirut time. The Range Rover's four passengers were killed in the explosion. In case Hobeika's car had taken another route through the neighborhood, two additional parked cars, located at two other choke points, were also rigged with TNT. The powerful bomb wounded a number of other people on the street. Other parked cars were destroyed and buildings and homes were damaged. The Lebanese president, prime minister, and interior minister all claimed that Israeli agents were behind the attack.

It is noteworthy that the State Department's list of global terrorist incidents for 2002 worldwide failed to list the car bombing attack on Hobeika and his party. The White House wanted to ensure the attack was censored from the report. The reason was simple: the attack ultimately had Washington's fingerprints on it.

High level European intelligence sources now report that Karl Rove personally coordinated Hobeika's assassination. The hit on Hobeika employed Syrian intelligence agents. Syrian President Bashar Assad was trying to curry favor with the Bush administration in the aftermath of 9-11 and was more than willing to help the White House. In addition, Assad's father, Hafez Assad, had been an ally of Bush's father during Desert Storm, a period that saw Washington give a "wink and a nod" to Syria's occupation of Lebanon. Rove wanted to help Sharon avoid any political embarrassment from an in absentia trial in Brussels where Hobeika would be a star witness. Rove and Sharon agreed on the plan to use Syrian Military Intelligence agents to assassinate Hobeika. Rove saw Sharon as an indispensable ally of Bush in ensuring the loyalty of the Christian evangelical and Jewish voting blocs in the United States. Sharon saw the plan to have the United States coordinate the hit as a way to mask all connections to Jerusalem.

The Syrian hit team was ordered by Assef Shawkat, the number two man in Syrian military intelligence and a good friend and brother in law of Syrian President Bashar Assad. Assad's intelligence services had already cooperated with U.S. intelligence in resorting to unconventional methods to extract information from al Qaeda detainees deported to Syria from the United States and other countries in the wake of 9-11. The order to take out Hobeika was transmitted by Shawkat to Roustom Ghazali, the head of Syrian military intelligence in Beirut. Ghazali "arranged with local killers" for the three remote controlled cars to be parked along Hobeika's route in Hazmieh; only few hundred yards from the Barracks of Syrian Special Forces which are stationed in the area near the Presidential palace , the ministry of Defense and various Government and officers quarters .

This particular area is covered 24/7 by a very sophisticated USA multi-agency surveillance system to monitor Syrian and Lebanese security activities and is a " Choice " area to live in for its perceived high security; [Courtesy of the Special Collections Services "SCS" , which is a joint CIA & NSA & DIA team endeavor worldwide .]

The plan to kill Hobeika had all the necessary caveats and built-in denial mechanisms. If the Syrians were discovered beforehand or afterwards, Karl Rove and his associates in the Pentagon's Office of Special Plans would be ensured plausible deniability, given the professional denigration effort that started in earnest,years ahead,in USA,Israel,France,Lebanon,using multi layered organizations to denigrate Mr. Elie Hobeika in books and shady publications, in print and on the Internet.

The operation code-named "Zircon" succeeded in eliminating a Lebanese Icon, using Syrian, Iranian, and Lebanese Hizbullah operatives, with the full tacit agreement of the Lebanese State apparatus, a classic Covert Operation handled by highly skilled professionals, who use "witting" and "unwitting elements", to serve sworn enemies in a clandestine fashion. It's called a Covert cooperation of Parties who are playing enemies, and it's a " Dream Covert Intelligence Exploit " par excellence !

From David Halevy in Time Magazine in 1982, to Barbara Newman, and from USCFL to local and other International creepy actors and seedy players, Mr. Elie Hobeika bore the brunt, single-handedly, of a skilled Disinformation Machine,like no other. In other words, during Times of WAR, and in "Peace Times" of the NEOCONS..., THE TRUTH is the first Victim.

Hobeika's CIA intermediary in Beirut, a man only referred to as "Jason" by Hobeika, was a frequent companion of the Lebanese politician during official and off-duty hours. During Hobeika's year 2000 election campaigns for his parliamentary seat, Jason was often in Hobeika's office offering support and advice. After Hobeika's assassination, Jason became despondent over the death of his colleague. Eventually, Jason disappeared abruptly from Lebanon and reportedly later emerged in Pakistan. Jason was very close to Hobeika.

Karl Rove's involvement in the assassination of Hobeika may not have been the last "hit" he ordered to help out Sharon. In March 2002, a few months after Hobeika's assassination, another Lebanese Christian with knowledge of Sharon's involvement in the Sabra and Shatilla massacres was gunned down along with his wife in Sao Paulo, Brazil. A bullet fired at Michael Nassar's car flattened one of his tires. Nassar pulled into a gasoline station for repairs. A professional assassin, firing a gun with a silencer, shot Nassar and his wife in the head, killing them both instantly. The assailant fled and was never captured. Nassar was also involved with the Phalange militia at Sabra and Shatilla. Nassar was also reportedly willing to testify against Sharon in Belgium and, as a nephew of SLA Commander General Antoine Lahd, may have had important evidence to bolster Hobeika's charge that Sharon ordered SLA forces into the camps to wipe out the Palestinians.

Based on what European intelligence claims is concrete intelligence on Rove's involvement in the assassination of Hobeika, the Bush administration can now add political assassination to its laundry list of other misdeeds, from lying about the reasons to go to war to the torture tactics in violation of the Geneva Conventions that have been employed by the Pentagon and "third country" nationals at prisons in Iraq , Guantanamo Bay, Morocco, and various East European locations, among others....

Wayne Madsen is a Washington, DC-based investigative journalist and columnist. He served in the National Security Agency (NSA) during the Reagan administration and wrote the introduction to Forbidden Truth. He is the co-author, with John Stanton, of "America's Nightmare: The Presidency of George Bush II." His forthcoming book is titled: "Jaded Tasks: Big Oil, Black Ops, and Brass Plates." Madsen can be reached at: snipped-for-privacy@aol.com

It is noteworthy that the State Department's list of global terrorist incidents for 2002 worldwide failed to list the car bombing attack on Hobeika and his party.... But Listed a small Hand Grenade thrown at a U.S. franchise in the middle of the night when the place was closed, empty and no one was hurt? The White House wanted to ensure the terror attack on Mr. Elie Hobeika, and his party of three young men with families, was censored from the report. The reason was simple: this attack ultimately had Washington's and Israel's fingerprints all over it....

Ever since this story came Online, there was a tremendous interest in reading this article 1052, by very noteworthy INTELLIGENCE sources, as outlined below:

This is some of the evidence for you and for the World...article&sid=1052

************************************************************************************************ ~encrypted/logs/access ====>> INTELLIGENCE Agencies Servers footprints. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Not to mention hundreds of private companies and governments........!

See Below : INTELLIGENCE Agencies , sources and Methods :


Lines 10-36 of my logfiles show a lot of interest in this article: =1052 # grep sid=1052 /encrypted/logs/access_logawk '{print$1,$7}'sed-n'10,36p'. spb-213-33-248-190.sovintel.ru /modules.php?name=News&file=article&sid=1052 Soviet/Russian Intelligence services... ext1.shape.nato.int /modules.php?name=News&file=article&sid=1052 NATO Intel. server1.namsa.nato.int /modules.php?name=News&file=article&sid=1052 Nato Intel. ns1.saclantc.nato.int /modules.php?name=News&file=article&sid=1052 Strategic Air Command US Intel. bxlproxyb.europarl.eu.int /modules.php?name=News&file=article&sid=1052 European Parliament Intel. Unit wdcsun18.usdoj.gov /modules.php?name=News&file=article&sid=1052 USA Department of Justice... wdcsun21.usdoj.gov /modules.php?name=News&file=article&sid=1052 USA Department of Justice... tcs-gateway11.treas.gov /modules.php?name=News&file=article&sid=1052 USA Treasury Department tcs-gateway13.treas.gov /modules.php?name=News&file=article&sid=1052 USA Treasury Department relay1.ucia.gov /modules.php?name=News&file=article&sid=1052 CIA Langley relay2.cia.gov /modules.php?name=News&file=article&sid=1052 CIA Langley relay2.ucia.gov /modules.php?name=News&file=article&sid=1052 CIA Langley n021.dhs.gov /modules.php?name=News&file=article&sid=1052 USA Department of Homeland security Intel. legion.dera.gov.uk /modules.php?name=News&file=article&sid=1052 British Intel. gateway-fincen.uscg.mil /modules.php?name=News&file=article&sid=1052 Pentagon US. crawler2.googlebot.com /modules.php?name=News&file=article&sid=1052 Intel.... crawler1.googlebot.com /modules.php?name=News&file=article&sid=1052 Intel..... gateway101.gsi.gov.uk /modules.php?name=News&file=article&sid=1052 British Intel. gate11-quantico.nmci.usmc.mil /modules.php?name=News&file=article&sid=1052 USA Marine Corps Quantico Virginia Intel. gate13-quantico.nmci.usmc.mil /modules.php?name=News&file=article&sid=1052 USA Marine Corps Quantico Virginia Intel. fw1-a.osis.gov /modules.php?name=News&file=article&sid=1052 US Intel SIS. crawler13.googlebot.com /modules.php?name=News&file=article&sid=1052 Intel.... fw1-b.osis.gov /modules.php?name=News&file=article&sid=1052 US Intel. OSIS. bouncer.nics.gov.uk /modules.php?name=News&file=article&sid=1052 British Intel. beluha.ssu.gov.ua /modules.php?name=News&file=article&sid=1052 Ukrainian Intelligence. zukprxpro02.zreo.compaq.com/modules.php?name=News&file=article&sid=1052.... Intel....

formatting link

Reply to

In a sanely configured firewall, the ONLY UDP packets that should be allowed through are queries to (and responses from) a name server. NO other service that uses UDP should be allowed through a firewall.

Then what are you worrying about?

Old guy

Reply to
Moe Trin

Only tcp ports open "Old Guy"? This well go great with mutimedia, voice, and video. You cannot set priorities or WFQ so you must open some UDP ports to allow decent communication. All firewalls dislike UDP, seeing that the connections "hop-around" ond open a series of embryonic half open connections, yet you must bend the rules a little for too much security will not overtake functionality.

have you tried rfc standards:

fixup protocol udp verses access-list?

Moe Tr> >

Reply to

Within a "sanely configured firewall", one might want to tunnel VPN connections, such as to provide a higher security access to a financial system. IPSec requires UDP for key negotiation (IKE), and if you are using NAT-T then it also needs UDP 4500.

Reply to
Walter Roberson

I haven't seen such a problem with our setup. The firewall is pretty restrictive purposely.

You must not work at a fairly paranoid facility. I'm the network guy at this facility, yet I don't have access to the (facility) perimeter firewall (that's corporate's problem). This has, however, never been a problem for us.

Old guy

Reply to
Moe Trin

Not allowed on the company wire. The O/P was posting from the New York City Public Schools network - I would hope that they also restrict personal use of city property. Mentioned elsewhere, there are a few systems in the employee break areas (which I now discover are actually owned by the employee association), but those are not connected to the company wire (they share a DSL connection paid for by the employee association - that I knew).

I'm not at liberty to say, but connecting from my personal systems at home to work doesn't show any UDP on a tcpdump. On the work system which is on a company furnished line, the packets aren't even TCP, but "another" protocol.

Old guy

Reply to
Moe Trin

The kind of "finanicial system" that I was referring to includes payroll systems, accounting systems, purchase systems, wage and benefit systems, contract details, and so on.

It is not uncommon for people to need access to remote resources in different security roles than their neighbours, including sometimes at different security levels. Sometimes that is handled by using distinct networks, but that approach does not scale well -- and probably doesn't fit within the budget of the New York City Public Schools.

An alternative to using multiple networks is to pass encrypted traffic through the common demarc. I have no idea what encryption protocols the military or TLAs use these days; the publically available recommended standard, IPSec, relies upon UDP.

The traditional "defence in layers" setup is to use multiple layers of security, not to simply attach different security tags to packets that are otherwise all treated equivilently.

Your workplace appears to be operating under a much more stringent threat/risk model than would be the case for most locations.

I am not suggesting that UDP should be acceptable under all threat/risk models, or even to all locations with roughly the same threat/risk model (since different locations have different access needs even if they evaluate the risks much the same way). What I question your statement that one should not have UDP in any "sanely configured firewall". A "sanely" configured firewall is one configured according to the needs and resources of the organization it is serving. Is UDP really such a security problem that Jumbo Jacks' Popcorn Pendants is at dire risk for allowing any UDP other than DNS through its firewall?

Reply to
Walter Roberson

Merry Christmas!

To the best of my knowledge, those rarely see the Internet here. EFT is handled by some form of tunnel to several banks, but I've seen no indication of UDP. My wife works in accounting in another company, and she tells me that there is ALWAYS dead tree backup of all communications.

I don't have a breakdown of how they've set up the public school system. is the public schools (not including the colleges). The _city_ has two more /16s (161.185 and 167.153), and other _parts_ of the city government also have /16s (CUNY, City College, Hospital, Transit Authority, etc). I'm not including state stuff, or the Port Authority..

Not really my area, but I know the system we're using doesn't depend on UDP - mainly as a logging question, I think.

Agreed - that's why we have air gaps on our networks, and why I don't have access to some network stuff, even though I'm a network guy. That includes payroll for some strange reason ;-)

I've mentioned this before - we're an R&D facility, and about 10 years ago, corporate got religion about this security stuff. Traffic that enters/leaves our facility (never mind the same deal corporate wide) is "controlled". Visiting computers is a _total_ no-no, and I understand that both the janitors and the cafeteria staff had background checks and have signed NDAs.

I'll give you that.

I'd expect that the professional would know what is needed, and what is not. The average person we're seeing in this news group is not the professional, and isn't running a business. As you know, the "correct" firewall configuration is to allow what is needed, and block all else. Hence my statement. The O/P sounds more like a frustrated user, rather than a competent admin enforcing official policy. Have they turned up on comp.dcom.sys.cisco yet? I don't follow that group.

Old guy

Reply to
Moe Trin

I didn't assess it that way. The OP said a PAT address is assigned for the inside users, which is knowledge of the configuration that users would not normally have, and phrasing that users would not normally use.

Yeh, they multiposted. The comp.dcom.sys.cisco discussion is exploring the possibility that they are running out of PAT pool ports. The OP hasn't contributed since the original posting.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.