At 07:53 AM 11/19/2001 -0500, Christopher Congdon wrote: >--------------------- Attention ----------------------------- >A digest version of this list is now available. >Send email to [EMAIL PROTECTED], with the following message: >subscribe gb-users-digest your_email_address >Then unsubscribe from this list. >------------------------------------------------------------- >GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi >Send postings to: [EMAIL PROTECTED] >Access the list archives at: http://www.gnatbox.com/gb-users/ >------------------------------------------------------------- >I'm still having problems with spoofing alerts from my gnatbox. > >Here are the active filters I have installed on my box. > >GNAT Box Active Filters > >GNAT Box Active Filters >Outbound >Index Count Description >2 11434 Accept notice "PROTECTED" ALL from "ANY_IP" to "ANY_IP" >Remote Access >Index Count Description >1 41 Accept notice "PROTECTED" TCP from "ANY_IP" to "ANY_IP" 8080 >2 0 Accept notice "PROTECTED" TCP from "ANY_IP" to "ANY_IP" 77 >3 329 Accept notice "EXTERNAL" TCP from 63.94.115.115/255.255.255.255 to >"ANY_IP" 8080 >6 20117 Deny warning ANY UDP nolog from "ANY_IP" to "ANY_IP" 9 67 68 137 >138 161 513 >7 0 Deny warning ANY UDP nolog from "ANY_IP" to "ANY_IP" 520 >12 0 Accept notice ANY TCP nolog from "ANY_IP" to "ANY_IP" 113 >13 12 Accept notice ANY ICMP from "ANY_IP" 8 to "ANY_IP" 8 >14 0 Deny warning ANY UDP nolog genICMP from "ANY_IP" to "ANY_IP" >32767:65535 >15 329 Deny warning ANY TCP nolog from "ANY_IP" 80 to "ANY_IP" >1024:65535 >16 14286 Deny warning ANY ALL alarm from "ANY_IP" to "ANY_IP" > > >The error messages I am getting are: > >Nov 19 07:51:03 FILTER: Possible spoof, return interface vx0 != arrival >xl0: error UDP [192.168.1.1/137]->[63.94.115.61/53] xl0 l=49 >Nov 19 07:51:02 FILTER: Possible spoof, return interface vx0 != arrival >xl0: error UDP [192.168.1.1/137]->[63.94.115.61/53] xl0 l=49 >Nov 19 07:51:00 FILTER: Possible spoof, return interface vx0 != arrival >xl0: error UDP [192.168.1.1/137]->[63.94.115.61/53] xl0 l=49 >Nov 19 07:50:59 FILTER: Possible spoof, return interface vx0 != arrival >xl0: error UDP [192.168.1.1/137]->[63.94.115.62/53] xl0 l=49 >Nov 19 07:50:57 FILTER: Possible spoof, return interface vx0 != arrival >xl0: error UDP [192.168.1.1/137]->[63.94.115.62/53] xl0 l=49 >Nov 19 07:50:56 FILTER: Possible spoof, return interface vx0 != arrival >xl0: error UDP [192.168.1.1/137]->[63.94.115.62/53] xl0 l=49 > > >vx0 is my external interface and xl0 is my protected interface. I don't >even know where the heck 192.168.1.1 is coming from since the IP address >of my protected interface is 192.168.0.1 and my two client IP's are >192.168.0.5 and 192.168.0.10. 63.94.115.61 is the IP address of a DNS >server on my network which is in a separate location from where this >'spoofed' gnatbox is at. > >I really do NOT understand what the deal is here, especially with the >unknown IP address. Any help in tracking this problem down would be most >helpful.
check to make 100% sure there are no hosts on the PRO network that could possibly have a 192.168.1.x IP address. this would definitely cause the spoof messages.
