RE: Re: [fw-wiz] Wayyy too many spoofed packets

From: Frank Knobbe (
Date: 11/22/03

  • Next message: Luca Berra: "Re: [fw-wiz] PIX 500 as ROUTER ONLY"
    To: Chris de Vidal <>
    Date: Fri, 21 Nov 2003 23:03:12 -0600

    On Fri, 2003-11-21 at 22:52, Chris de Vidal wrote:
    > So why do I see so many inbound packets from the network coming through
    > eth0 with my IP? The only explaination that makes sense is a router
    > somewhere rebroadcasting packets...

    Those are packets FROM your IP for the network. They're not spoofed,
    your box sends them to the network.

    +-------+ +----+
    |You Box|---|eth0|---> network
    +-------+ +----+ ->

    netfilter logs that packet that is trying to leave your box. There is no
    spoofed packets.

    If you turn your box off, and use a different machine with tcpdump,
    sniff the traffic and STILL capture packets with the turned off IP
    address, then I believe you have spoofed packets floating around :)
    Until then, the way I see your description is that you are
    logging/blocking VALID packets FROM your box to the network.



    firewall-wizards mailing list

  • Next message: Luca Berra: "Re: [fw-wiz] PIX 500 as ROUTER ONLY"

    Relevant Pages

    • Re: [opensuse] SuseFirewall IPv4 vs IPv6
      ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
    • Re: Ethernet issue: works one way but not another
      ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ...
    • Re: Update: UDP 770 Potential Worm
      ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
    • Re: IDSIPS that can handle one Gig
      ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
    • Re: iptables and dhcp
      ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...