Rui Pedro Bernardino wrote:
>
> drop fw1 >le0 proto tcp src 213.61.112.165 dst 255.255.255.255
> service 19000 s_port ftp-data len 40 rule 18
>
> Well, the first two are easy (someone is trying to check if I allow
> incoming ftp-data through some "non-stateful" packet filter); the third
> one I cannot understand. My external router drops source routed ip
> packets, so how could this packet get here? There are no other systems
> on this VLAN and on previous scans, the src addr was different.
The packet was sent to the broadcast address of the subnet between your
router and firewall. Since the router is directly connected to the
broadcast destination subnet it takes this directed broadcast and
translates it into a link-layer broadcast which is then seen by the
firewall.
If you have a Cisco router you can use the 'no ip directed-broadcast'
interface command to prevent this translation. It needs to be applied
to each interface. Note that this will only block directed broadcasts
to subnets that the router directly touches. To prevent other directed
broadcasts from passing through the router you will need to create deny
ACLs. See the following URL for more info.
http://www.cisco.com/warp/public/707/21.html#directed-bcast
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
