RE: [fw-wiz] Wayyy too many spoofed packets

From: Chris de Vidal (chris_at_devidal.tv)
Date: 11/22/03

  • Next message: Bill Royds: "RE: Re: [fw-wiz] Wayyy too many spoofed packets"
    To: "Jeroen De Corel" <jeroen.de.corel@pandora.be>
    Date: Fri, 21 Nov 2003 19:13:58 -0500 (EST)
    
    

    Jeroen De Corel said:
    > What do you mean with packets claiming to be your ip address: a public ip
    > address on the internal network?

    I mean this:
    Network ------------------------ eth0
    172.19.255.255 172.19.2.200

    Packet (from 172.19.2.200) -----> eth0 (should not ever happen, but
    happened 144 times yesterday out of millions of packets)

    > You wouldn't happen to be running vmware in the background, would you?

    Nope.

    Someone on this list explained that this is probably happening:
    eth0 --> Packet from 172.19.2.200 to 172.19.255.255 --> network
                                                               |
                                                               |
    eth0 <----------------------------------------------------+
    (listening to all traffic destined for 172.19.255.255)

    So I'm probably getting my own broadcast traffic back. But I wasn't
    expecting that :-)

    The solution is to not flag broadcast packets with my IP coming in. I
    think I can add ! -s 172.19.255.255 to my rule.

    Thanks for the help!
    /dev/idal
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bill Royds: "RE: Re: [fw-wiz] Wayyy too many spoofed packets"

    Relevant Pages

    • Re: Cant use internal network after dialup modem is used -- FOLLOWUP: better output
      ... Here is a corrected/improved version with more useful indenting. ... Just after reboot, can use internal network. ... In particular, during and after use of dialup modem, ping gives: ... packets transmitted, 4 packets received, 0% packet loss ...
      (comp.os.linux.setup)
    • Re: Iptables or misconfiguration?
      ... > I'm building up a router with IPTABLES. ... > communicates with the machines on the internal network, ... These addresses should never appear as sources on any packets you receive ... to attack others. ...
      (comp.unix.admin)
    • Re: Odd windows ICMP... any ideas what this is?
      ... > Our IDS has been reporting some large ICMP packets on ... > our internal network. ... Apparently w32 boxes ping their domain controller regularly. ... profiling the ICMP traffic immediately afterwards would help to provide ...
      (Incidents)
    • Re: IPFilter/IPNat and rdr
      ... but the next rule overrides lets the packet in IF it is ... You may or may not want the quick keyword in that second rule, ... > rule to prevent packets from the outside that contain a destination IP ... > on my internal network from passing through my firewall and entering my ...
      (FreeBSD-Security)
    • IPFW questions
      ... I'm in the process of reviewing my IPFW firewall rules since they've ... bdg_forward packets. ... that when a machine on my internal network transmits a packet that is ...
      (comp.unix.bsd.freebsd.misc)