Jose,
If you set the local-mac-address=true then it will not fix your problem but
when you execute the "arp -a" command it will show you the arp entries and
what mac address they appear on. Helps in problem diagnosis.
Your arp entries may consist of having "flags" of SP, SM or blank.
- SP flags relate to the ip addresses assigned to the different adaptor
interfaces and also any "proxy arp" addresses you may have assigned
- SM flags relate to any multicast addresses assigned
- blank flags relate to any "learnt" addresses ie other machines that are
locally connected to the networks of your adaptor interfaces
I have a small suspicion that there is a configuration problem but unless I
saw the contents of some sensitive (not posted to a mailing-list) files I
do not know what else I can do to assist you.
You can e-mail me directly if you wish and I can let you know what I would
need to see.
Regards,
Ken Welsh
"Dpto. de
Internet- Jose J.
Pedrajas" To
<[EMAIL PROTECTED] [EMAIL PROTECTED]
P.ES> INT.COM
Sent by: Mailing cc
list for
discussion of Subject
Firewall-1 Re: [FW-1] Question about Spoofing
<FW-1-MAILINGLIST and too many internal hosts
@AMADEUS.US.CHECK
POINT.COM>
12/02/2004 03:27
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Hi Ken,
>The default behaviour under Solaris for displaying of MAC addresses is to
>hide all entries behind the inbuilt ethernet adaptor's address. You can
>change this behaviour in two places
> - firstly in NVRAM at the "ok" prompt by setting the variable "
>local-mac-address" to "true"
> - secondly by issuing the following command (as root) "eeprom
>local-mac-address?=true" and re-booting.
I have this parameter set to "local-mac-address=false" however, does this
parameter affect to my problem? I don't see how it can do it.
>this giving you the ability to address 192.168.0.1-14 as "hosts".
>Please humour me but I still do not understand why anyone would be pinging
>the "network" address rather than an individual host address.
Well, the problem is not that someone wants to ping the "network" address
but that I see the following lines in the Log Viewer :
date / time / rule / Interface / source / S_port / Destination /
service / Protocol / Action / Info
11Feb2004 / 14:30:52 / 0 / qe2 / <any external IP> / /
xxx.xxx.xxx.16 / / icmp / drop / icmp-type 8 icmp-code 0
11Feb2004 / 14:30:52 / 0 / qe2 / <any external IP> / /
xxx.xxx.xxx.31 / / icmp / drop / icmp-type 8 icmp-code 0
11Feb2004 / 14:30:52 / 0 / qe1 / <any external IP> / /
xxx.xxx.xxx.32 / / icmp / drop / icmp-type 8 icmp-code 0
11Feb2004 / 14:30:52 / 0 / qe1 / <any external IP> / /
xxx.xxx.xxx.47 / / icmp / drop / icmp-type 8 icmp-code 0
it seems that always happen the same 4 lines and at the same exact time,
one
followed of the other. The same external IP do the 4 echo-request to the
"network address" and "broadcast address". Always happens with icmp
protocol.
So that, I can not understand some things :
1st - what is the reason for "pinging" my network and broadcast
addresses?
2nd - why FW1 tells me that the "ping" come from interfaces qe1/qe2? If
the source IP is external I think that the interface should be qe0 and not
qe1/qe2.
I execute a "snoop -d qe0 <external-ip>" and then do a ping from the
external-ip to xxx.xxx.xxx.16 and (.32) and I get the next things :
-> At Log viewer :
11Feb2004 / 14:30:52 / 0 / qe2 / <external-IP> / /
xxx.xxx.xxx.16 / / icmp / drop / icmp-type 8 icmp-code 0
11Feb2004 / 14:30:52 / 0 / qe1 / <external-IP> / /
xxx.xxx.xxx.32 / / icmp / drop / icmp-type 8 icmp-code 0
-> At the snoop capture, doing a "ping xxx.xxx.xxx.16" I get :
# snoop -d qe0 <external-ip>
Using device /dev/qe (promiscuous mode)
<external-ip> -> xxx.xxx.xxx.16 ICMP Echo request
# snoop -d qe1 <external-ip>
Using device /dev/qe (promiscuous mode)
<external-ip> -> xxx.xxx.xxx.16 ICMP Echo request
(*) xxx.xxx.xxx.18 -> <external-ip> ICMP Echo reply
# snoop -d qe2 <external-ip>
Using device /dev/qe (promiscuous mode)
<external-ip> -> xxx.xxx.xxx.16 ICMP Echo request
At the snoop capture, doing a "ping xxx.xxx.xxx.32" I get :
# snoop -d qe0 <external-ip>
Using device /dev/qe (promiscuous mode)
<external-ip> -> xxx.xxx.xxx.32 ICMP Echo request
# snoop -d qe1 <external-ip>
Using device /dev/qe (promiscuous mode)
<external-ip> -> xxx.xxx.xxx.32 ICMP Echo request
# snoop -d qe2 <external-ip>
Using device /dev/qe (promiscuous mode)
<external-ip> -> xxx.xxx.xxx.32 ICMP Echo request
No more lines related to the <external-ip> appears at the snoop capture..
Why does it happen the line marked as (*) ? Ping to IP .16 and reply the
computer with IP=.18?
I wonder if my Sun computer has a mistake in its configuration and if the
computer is the ones that does the strange ping. Could it be here the
problem?
I can reproduce the problem if I execute a "ping" to these addresses from
an
external IP.
what do you think about that?
Regards,
Jose
"Dpto. de
Internet- Jose J.
Pedrajas" To
<[EMAIL PROTECTED] [EMAIL PROTECTED]
P.ES> INT.COM
Sent by: Mailing cc
list for
discussion of Subject
Firewall-1 Re: [FW-1] Question about Spoofing
<FW-1-MAILINGLIST and too many internal hosts
@AMADEUS.US.CHECK
POINT.COM>
04/02/2004 02:11
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Hello Ken,
firstly, thanks for your observation. I have done the changes you suggest
me, however the problem go on present at my system :
- When someone do a ping to the broadcast IP of qe1
(xxx.xxx.xxx.16), the Log Viewer tell me that the icmp packet try to come
in
through the qe2 interface.
- When someone do a ping to the broadcast IP of qe2
(xxx.xxx.xxx.32), the Log Viewer tell me that the icmp packet try to come
in
through the qe1 interface.
the results are :
1- FW drop the packet because it think that the source ip is
spoofed.
2- After some minutes in the syslog I get the typical messages of
"too many internal hosts detected".
I think that the 2nd problem is a consequence of the 1st problem.
I have observed that my ARP table has the following 2 lines :
qe1 xxx.xxx.xxx.16 255.255.255.255 SP
..:..:..:..:..:84
qe2 xxx.xxx.xxx.16 255.255.255.255
..:..:..:..:..:84
Is it normal that the same MAC address appears in 2 diferent interfaces? If
not, how can I resolve the problem?
I have been sniffing my network card for the broadcasts packets and the
only
2 packets I saw were :
Using device /dev/qe (promiscuous mode)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 9:48:35.39
ETHER: Packet size = 74 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = ..:..:..:..:..:84, Sun ====================>
The MAC of qe1
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 60 bytes
IP: Identification = 3387
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 1 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = a227
IP: Source address = 81.41.214.217, 217.Red-81-41-214.pooles.rima-tde.net
IP: Destination address = xxx.xxx.xxx.16, xxx.xxx.xxx.xxx.16
IP: No options
IP:
ICMP: ----- ICMP Header -----
ICMP:
ICMP: Type = 8 (Echo request)
ICMP: Code = 0
ICMP: Checksum = 375c
ICMP:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 2 arrived at 9:48:40.18
ETHER: Packet size = 74 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = ..:..:..:..:..:85, Sun ====================>
The MAC of qe2
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 60 bytes
IP: Identification = 3395
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 1 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = a20f
IP: Source address = 81.41.214.217, 217.Red-81-41-214.pooles.rima-tde.net
IP: Destination address = yyy.yyy.yyy.32, yyy.yyy.yyy.32
IP: No options
IP:
ICMP: ----- ICMP Header -----
ICMP:
ICMP: Type = 8 (Echo request)
ICMP: Code = 0
ICMP: Checksum = 365c
ICMP:
Could you help me, please?
Greetings,
Jose
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 02, 2004 9:50 PM
Subject: Re: [FW-1] Question about Spoofing and too many internal hosts
Jose,
You mention that in the interface tab of the gateway object the IP
Addresses for the interfaces are as follows:
* Interfaces tab :
name / Address / Mask / Anti spoof
qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net
Based upon your netmasking, the displayed addresses are network addresses
not host addresses. I think that they should be:
* Interfaces tab :
name / Address / Mask / Anti spoof
qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
qe1 / xxx.xxx.xxx.17 / 255.255.255.240 / This net
qe2 / xxx.xxx.xxx.33 / 255.255.255.240 / This net
Did you do a get "Interfaces with Topology" under the Topology tab of the
gateway object?
Regards,
Ken...
"Dpto. de
Internet- Jose J.
Pedrajas" To
<[EMAIL PROTECTED] [EMAIL PROTECTED]
P.ES> INT.COM
Sent by: Mailing cc
list for
discussion of Subject
Firewall-1 [FW-1] Question about Spoofing and
<FW-1-MAILINGLIST too many internal hosts
@AMADEUS.US.CHECK
POINT.COM>
03/02/2004 04:57
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Hi,
I have a Sun machine with FW-1 and 3 interfaces which are configured as
follows :
qe0: inet xxx.xxx.xxx.2 netmask fffffff0 broadcast xxx.xxx.xxx.15
qe1: inet xxx.xxx.xxx.17 netmask fffffff0 broadcast xxx.xxx.xxx.31
qe2: inet xxx.xxx.xxx.33 netmask fffffff0 broadcast xxx.xxx.xxx.47
I have configured an object for the above machine at FW-1 as follows :
* General tab :
IP : xxx.xxx.xxx.2
Location : internal
Type : gateway
Firewall-1 installed option : check
* Interfaces tab :
name / Address / Mask / Anti spoof
qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net
The problem is that when I try to do a "ping" (or a dns query) from the ip
yyy.yyy.yyy.yyy to the ip xxx.xxx.xxx.16 (broadcast), I can see at the log
viewer the following line :
Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
0 / -> qe2 / yyy.yyy.yyy.yyy / / xxx.xxx.xxx.16 / / icmp / drop
0 / -> qe2 / yyy.yyy.yyy.yyy / zzzz / xxx.xxx.xxx.16 / domain / udp /
drop
The IP xxx.xxx.xxx.16 belongs to qe1 and not to qe2, I don�t know why this
packet is redirected to the qe2 interface and not to the qe1. I think that,
in any case, the line should be the following :
Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
0 / -> qe1 / yyy.yyy.yyy.yyy / / xxx.xxx.xxx.16 / / icmp / drop
0 / -> qe1 / yyy.yyy.yyy.yyy / zzzz / xxx.xxx.xxx.16 / domain / udp /
drop
In the other hand if I try to do a "telnet xxx.xxx.xxx.16 bbbb", I see the
following line at log viewer :
Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
aa / -> qe0 / yyy.yyy.yyy.yyy / zzzz / xxx.xxx.xxx.16 / bbbb / tcp /
drop
that is, the line in the log is correct.
Beside, I get the typical message of "too many internal hosts detected" as
a
consequence of the problem mentioned.
Please, someone could help me?
Thanks and best regards,
Jose
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
WARNING - This email and any attachments may be confidential. If received
in
error, please delete and inform us by return email.
Because emails and attachments may be interfered with, may contain computer
viruses or other defects and may not be successfully replicated on other
systems,
you must be cautious. Westpac cannot guarantee that what you receive is
what
we sent. If you have any doubts about the authenticity of an email by
Westpac,
please contact us immediately.
It is also important to check for viruses and defects before opening or
using attachments. Westpac's liability is limited to resupplying any
affected attachments.
Westpac Banking Corporation ABN is 33 007 457 141.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
WARNING - This email and any attachments may be confidential. If received in error,
please delete and inform us by return email.
Because emails and attachments may be interfered with, may contain computer viruses or
other defects and may not be successfully replicated on other systems,
you must be cautious. Westpac cannot guarantee that what you receive is what we sent.
If you have any doubts about the authenticity of an email by Westpac,
please contact us immediately.
It is also important to check for viruses and defects before opening or using
attachments. Westpac's liability is limited to resupplying any affected attachments.
Westpac Banking Corporation ABN is 33 007 457 141.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
