Jose,
The default behaviour under Solaris for displaying of MAC addresses is to
hide all entries behind the inbuilt ethernet adaptor's address. You can
change this behaviour in two places
- firstly in NVRAM at the "ok" prompt by setting the variable "
local-mac-address" to "true"
- secondly by issuing the following command (as root) "eeprom
local-mac-address?=true" and re-booting.
This should give you the "burnt in" MAC address of each adaptor (providing
the manufacturer supports this - refer to Sunsolve).
As far as I am aware, the standard convention is that the first address in
a network range is classified as the "network" address (as such is not
used) and the last address in a network range is the "broadcast" address
ie:
Network Netmask Broadcast
192.168.0.0 255.255.255.240 192.168.0.15
this giving you the ability to address 192.168.0.1-14 as "hosts".
Please humour me but I still do not understand why anyone would be pinging
the "network" address rather than an individual host address.
Regards,
Ken...
"Dpto. de
Internet- Jose J.
Pedrajas" To
<[EMAIL PROTECTED] [EMAIL PROTECTED]
P.ES> INT.COM
Sent by: Mailing cc
list for
discussion of Subject
Firewall-1 Re: [FW-1] Question about Spoofing
<FW-1-MAILINGLIST and too many internal hosts
@AMADEUS.US.CHECK
POINT.COM>
04/02/2004 02:11
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Hello Ken,
firstly, thanks for your observation. I have done the changes you suggest
me, however the problem go on present at my system :
- When someone do a ping to the broadcast IP of qe1
(xxx.xxx.xxx.16), the Log Viewer tell me that the icmp packet try to come
in
through the qe2 interface.
- When someone do a ping to the broadcast IP of qe2
(xxx.xxx.xxx.32), the Log Viewer tell me that the icmp packet try to come
in
through the qe1 interface.
the results are :
1- FW drop the packet because it think that the source ip is
spoofed.
2- After some minutes in the syslog I get the typical messages of
"too many internal hosts detected".
I think that the 2nd problem is a consequence of the 1st problem.
I have observed that my ARP table has the following 2 lines :
qe1 xxx.xxx.xxx.16 255.255.255.255 SP
..:..:..:..:..:84
qe2 xxx.xxx.xxx.16 255.255.255.255
..:..:..:..:..:84
Is it normal that the same MAC address appears in 2 diferent interfaces? If
not, how can I resolve the problem?
I have been sniffing my network card for the broadcasts packets and the
only
2 packets I saw were :
Using device /dev/qe (promiscuous mode)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 9:48:35.39
ETHER: Packet size = 74 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = ..:..:..:..:..:84, Sun ====================>
The MAC of qe1
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 60 bytes
IP: Identification = 3387
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 1 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = a227
IP: Source address = 81.41.214.217, 217.Red-81-41-214.pooles.rima-tde.net
IP: Destination address = xxx.xxx.xxx.16, xxx.xxx.xxx.xxx.16
IP: No options
IP:
ICMP: ----- ICMP Header -----
ICMP:
ICMP: Type = 8 (Echo request)
ICMP: Code = 0
ICMP: Checksum = 375c
ICMP:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 2 arrived at 9:48:40.18
ETHER: Packet size = 74 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = ..:..:..:..:..:85, Sun ====================>
The MAC of qe2
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 60 bytes
IP: Identification = 3395
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 1 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = a20f
IP: Source address = 81.41.214.217, 217.Red-81-41-214.pooles.rima-tde.net
IP: Destination address = yyy.yyy.yyy.32, yyy.yyy.yyy.32
IP: No options
IP:
ICMP: ----- ICMP Header -----
ICMP:
ICMP: Type = 8 (Echo request)
ICMP: Code = 0
ICMP: Checksum = 365c
ICMP:
Could you help me, please?
Greetings,
Jose
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 02, 2004 9:50 PM
Subject: Re: [FW-1] Question about Spoofing and too many internal hosts
Jose,
You mention that in the interface tab of the gateway object the IP
Addresses for the interfaces are as follows:
* Interfaces tab :
name / Address / Mask / Anti spoof
qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net
Based upon your netmasking, the displayed addresses are network addresses
not host addresses. I think that they should be:
* Interfaces tab :
name / Address / Mask / Anti spoof
qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
qe1 / xxx.xxx.xxx.17 / 255.255.255.240 / This net
qe2 / xxx.xxx.xxx.33 / 255.255.255.240 / This net
Did you do a get "Interfaces with Topology" under the Topology tab of the
gateway object?
Regards,
Ken...
"Dpto. de
Internet- Jose J.
Pedrajas" To
<[EMAIL PROTECTED] [EMAIL PROTECTED]
P.ES> INT.COM
Sent by: Mailing cc
list for
discussion of Subject
Firewall-1 [FW-1] Question about Spoofing and
<FW-1-MAILINGLIST too many internal hosts
@AMADEUS.US.CHECK
POINT.COM>
03/02/2004 04:57
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Hi,
I have a Sun machine with FW-1 and 3 interfaces which are configured as
follows :
qe0: inet xxx.xxx.xxx.2 netmask fffffff0 broadcast xxx.xxx.xxx.15
qe1: inet xxx.xxx.xxx.17 netmask fffffff0 broadcast xxx.xxx.xxx.31
qe2: inet xxx.xxx.xxx.33 netmask fffffff0 broadcast xxx.xxx.xxx.47
I have configured an object for the above machine at FW-1 as follows :
* General tab :
IP : xxx.xxx.xxx.2
Location : internal
Type : gateway
Firewall-1 installed option : check
* Interfaces tab :
name / Address / Mask / Anti spoof
qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net
The problem is that when I try to do a "ping" (or a dns query) from the ip
yyy.yyy.yyy.yyy to the ip xxx.xxx.xxx.16 (broadcast), I can see at the log
viewer the following line :
Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
0 / -> qe2 / yyy.yyy.yyy.yyy / / xxx.xxx.xxx.16 / / icmp / drop
0 / -> qe2 / yyy.yyy.yyy.yyy / zzzz / xxx.xxx.xxx.16 / domain / udp /
drop
The IP xxx.xxx.xxx.16 belongs to qe1 and not to qe2, I don�t know why this
packet is redirected to the qe2 interface and not to the qe1. I think that,
in any case, the line should be the following :
Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
0 / -> qe1 / yyy.yyy.yyy.yyy / / xxx.xxx.xxx.16 / / icmp / drop
0 / -> qe1 / yyy.yyy.yyy.yyy / zzzz / xxx.xxx.xxx.16 / domain / udp /
drop
In the other hand if I try to do a "telnet xxx.xxx.xxx.16 bbbb", I see the
following line at log viewer :
Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
aa / -> qe0 / yyy.yyy.yyy.yyy / zzzz / xxx.xxx.xxx.16 / bbbb / tcp /
drop
that is, the line in the log is correct.
Beside, I get the typical message of "too many internal hosts detected" as
a
consequence of the problem mentioned.
Please, someone could help me?
Thanks and best regards,
Jose
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
WARNING - This email and any attachments may be confidential. If received in error,
please delete and inform us by return email.
Because emails and attachments may be interfered with, may contain computer viruses or
other defects and may not be successfully replicated on other systems,
you must be cautious. Westpac cannot guarantee that what you receive is what we sent.
If you have any doubts about the authenticity of an email by Westpac,
please contact us immediately.
It is also important to check for viruses and defects before opening or using
attachments. Westpac's liability is limited to resupplying any affected attachments.
Westpac Banking Corporation ABN is 33 007 457 141.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
