RE: [fw-wiz] Wayyy too many spoofed packets

From: Chris de Vidal (chris_at_devidal.tv)
Date: 11/22/03

  • Next message: Bill Royds: "RE: Re: [fw-wiz] Wayyy too many spoofed packets"
    To: "Jeroen De Corel" <jeroen.de.corel@pandora.be>
    Date: Fri, 21 Nov 2003 19:13:58 -0500 (EST)
    
    

    Jeroen De Corel said:
    > What do you mean with packets claiming to be your ip address: a public ip
    > address on the internal network?

    I mean this:
    Network ------------------------ eth0
    172.19.255.255 172.19.2.200

    Packet (from 172.19.2.200) -----> eth0 (should not ever happen, but
    happened 144 times yesterday out of millions of packets)

    > You wouldn't happen to be running vmware in the background, would you?

    Nope.

    Someone on this list explained that this is probably happening:
    eth0 --> Packet from 172.19.2.200 to 172.19.255.255 --> network
                                                               |
                                                               |
    eth0 <----------------------------------------------------+
    (listening to all traffic destined for 172.19.255.255)

    So I'm probably getting my own broadcast traffic back. But I wasn't
    expecting that :-)

    The solution is to not flag broadcast packets with my IP coming in. I
    think I can add ! -s 172.19.255.255 to my rule.

    Thanks for the help!
    /dev/idal
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bill Royds: "RE: Re: [fw-wiz] Wayyy too many spoofed packets"