RE: Odd SonicWall behavior

From: Jason Harris (
Date: 10/27/05

  • Next message: Steven Meyer: "secure backups"
    Date: Thu, 27 Oct 2005 16:12:12 -0500
    To: <>

    Also, do you have an arp proxy enabled on your interfaces.

    -----Original Message-----
    From: Austin Murkland []
    Sent: Thursday, October 27, 2005 2:00 PM
    To: Ryan James
    Subject: Re: Odd SonicWall behavior

    I've seen this behavoir before on cable modem does
    that webserver connect to the interent?

    Ryan James wrote:
    > I help out one of the labs at my university keep their network up and
    > pcs running. They have a webserver with some sort of vaguely sensitive
    > information on it, enough so that they requested money for a small
    > firewall for it and some of the other computers in the lab. They got a
    > SonicWall tele3 (I believe) and it was working well for a year or so,
    > but around a week ago the campus's network admin contacted us and said
    > that our network was broadcasting a *lot* of traffic. From my (outside
    > their firewall) I did a packet dump (I can supply it if needed) and the
    > only thing that was unusual was that the sonicwall was sending massive
    > amounts of ARP traffic asking who has the gateway's IP. By massive I
    > mean around twenty a second. Before talking to me, the lab director
    > unplugged each pc one by one from the firewall, but the spamming
    > continued ever after everything--including the webserver--had been
    > disconnected. After I was notified, I attempted to log into the
    > firewall to check its logs, but it didn't work. I scanned the firewall
    > with nmap and it returned that all ports were filtered, even though
    > access from within the network to the admin console had been turned on.
    > I also tried connected to the 'console' port on the sonicwall but either
    > I didn't know how it worked or it wasn't working properly. In addition,
    > it seems that pcs within the firewalled network can dhcp an address from
    > the subnet's gateway (which they couldn't before) and ettercap showed
    > that you can see all the connections on the subnet from within the
    > firewall. Since keeping the webserver up is the lab director's primary
    > goal he doesn't want me to attempt to reflash the firmware unless it's
    > absolutely necessary or if the firewall's been compromised. So I guess
    > my question is: is someone tunneling a connection from our firewall to
    > off-campus over ARP or has the firewall just gone a bit nutty?

  • Next message: Steven Meyer: "secure backups"

    Relevant Pages

    • Help for Sonicwall TZ 170 configuration
      ... IP A-Z Stands for any IP the webserver is configured to listen to. ... Now the firewall should just route the traffic through, ... So the firewall should do nothing with the ip's but blocks all ports ... Now even the guys from the company that distributes Sonicwall here were ...
    • Re: SonicWall firewall question
      ... >> 6300 concurrent connections is a significant chunk of traffic.. ... >> especially for someone considering hosting "a few internet servers... ... you miss my original point in that a firewall is not the only ... >I was talking about the original SonicWall Pro now called the SonicWall Pro ...
    • Re: ISA auf Webserver
      ... >zusaetzliche Komponenten auf einer Firewall zu installieren. ... was soll dieser Webserver machen? ... Dabei bildet das dritte NIC die DMZ, ... ISA als Edgefirewall und dann interner Webserver, ...
    • Re: [Full-Disclosure] Re: Empirical data surrounding guards and firewalls.
      ... The firewall is not content filtering, thus does not stop bad requests ... connection to a webserver. ... carrying an illegal object (an illegally formed request). ...
    • RE: PART II : Webserver, DMZ, ports questions
      ... through a firewall they do it by coming through ports that the firewall ... plan on putting content onto the webserver from the Intranet. ... ports through the firewall. ... > ports to talk out onto the Internet? ...