RE: Re: [fw-wiz] Wayyy too many spoofed packets
From: Bill Royds (broyds_at_rogers.com)
To: "'Chris de Vidal'" <email@example.com> Date: Fri, 21 Nov 2003 19:31:22 -0500
As Frank said, you machine is sending broadcasts on both interfaces for
Samba. So you see the broadcasts as received as well. It is not coming from
the net but from your machine itself.
From: Chris de Vidal [mailto:firstname.lastname@example.org]
Sent: November 21, 2003 3:37 PM
Subject: Re: Re: [fw-wiz] Wayyy too many spoofed packets
I'm going to be installing firewalls on my internal servers (yes, I'm
paranoid). These include Samba servers.
I shouldn't expect to see MY IP coming IN from the OUTSIDE.
I saw this kind of spoof protection in another firewall script and copied
it, so I'm sure the rule is correct and I've never seen traffic with MY IP
originating on eth0.
Bill Royds said:
> Are you running Samba on the Linux box which is your firewall? It may be
> that you are seeing traffic from the firewall box itself which has the IP
> address on its eth0 interface does it not?
> Samba will try to enumerate other SMB hosts on its subnet if it is
> running. Backup will also try to find other backup boxes.
>> From: "Chris de Vidal" <email@example.com>
>> Date: 2003/11/21 Fri PM 02:35:56 EST
>> To: Bill@royds.net
>> CC: firstname.lastname@example.org
>> Subject: Re: [fw-wiz] Wayyy too many spoofed packets
>> Sorry if I misunderstand you, but you're saying it's normal for packets
>> coming IN from the network to have my IP? See, that's my concern, not
>> Netmask and broadcast match what you said:
>> eth0 Link encap:Ethernet HWaddr 00:50:DA:0C:04:6E
>> inet addr:172.19.2.200 Bcast:172.19.255.255 Mask:255.255.0.0
>> Again, I'm only concerned about spoofed packets; packets coming from the
>> outside in claiming to have my IP.
>> So is this normal?
>> Bill Royds said:
>> > You have the default netmask set incorrectly (or not set at all) on
>> with IP 172.19.2.200. SMB uses broadcast by default if it has not been
>> given a WINS address to find hosts and net 172.19.x.x is a class B which
>> by default has a netmask of 255.255.0.0 and a broadcast address of
>> > What you are seeing is perfectly normal for a Windows box with
>> > windows network setup (broadcast for name resolution).
>> >> From: "Chris de Vidal" <email@example.com>
>> >> Date: 2003/11/21 Fri AM 10:27:36 EST
>> >> To: firstname.lastname@example.org
>> >> Subject: [fw-wiz] Wayyy too many spoofed packets
>> >> I'm going to be installing firewalls on my internal servers (yes, I'm
>> paranoid) and right now I'm testing in flag-only mode (don't drop any
>> packets) on one server. So-far, so-good, except every day I get about
>> >> "spoofed" packets; packets claiming to be my IP coming INTO the NIC
>> >> Strangely, the destination is always my network's broadcast address.
>> Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138)
>> >> backup traffic (UDP 20031) ports.
>> >> Here is the rule:
>> >> /sbin/iptables -A bad_packets \
>> >> -i eth0 -s 172.19.2.200 \
>> >> --m limit --limit 3/minute \
>> >> --j LOG --log-level INFO \
>> >> --log-prefix "Spoofed packet type 1 (bad): "
>> >> Here is the log:
>> >> Logged 142 packets on interface eth0
>> >> From 172.19.2.200 - 142 packets
>> >> To 172.19.255.255 - 142 packets
>> >> Service: netbios-ns (udp/137) (Spoofed packet type 1
>> >> (bad):,eth0,none) - 19 packets
>> >> Service: netbios-dgm (udp/138) (Spoofed packet type 1
>> >> (bad):,eth0,none) - 103 packets
>> >> (20031 is the backup port)
>> >> Service: 20031 (udp/20031) (Spoofed packet type 1
>> >> (bad):,eth0,none)
>> >> - 20 packets
>> >> Ideas?
>> >> /dev/idal
>> >> _______________________________________________
>> >> firewall-wizards mailing list
>> >> email@example.com
>> >> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>> firewall-wizards mailing list
firewall-wizards mailing list