I'm still having problems with spoofing alerts from my gnatbox. Here are the active filters I have installed on my box.
GNAT Box Active Filters GNAT Box Active Filters Outbound Index Count Description 2 11434 Accept notice "PROTECTED" ALL from "ANY_IP" to "ANY_IP" Remote Access Index Count Description 1 41 Accept notice "PROTECTED" TCP from "ANY_IP" to "ANY_IP" 8080 2 0 Accept notice "PROTECTED" TCP from "ANY_IP" to "ANY_IP" 77 3 329 Accept notice "EXTERNAL" TCP from 63.94.115.115/255.255.255.255 to "ANY_IP" 8080 6 20117 Deny warning ANY UDP nolog from "ANY_IP" to "ANY_IP" 9 67 68 137 138 161 513 7 0 Deny warning ANY UDP nolog from "ANY_IP" to "ANY_IP" 520 12 0 Accept notice ANY TCP nolog from "ANY_IP" to "ANY_IP" 113 13 12 Accept notice ANY ICMP from "ANY_IP" 8 to "ANY_IP" 8 14 0 Deny warning ANY UDP nolog genICMP from "ANY_IP" to "ANY_IP" 32767:65535 15 329 Deny warning ANY TCP nolog from "ANY_IP" 80 to "ANY_IP" 1024:65535 16 14286 Deny warning ANY ALL alarm from "ANY_IP" to "ANY_IP" The error messages I am getting are: Nov 19 07:51:03 FILTER: Possible spoof, return interface vx0 != arrival xl0: error UDP [192.168.1.1/137]->[63.94.115.61/53] xl0 l=49 Nov 19 07:51:02 FILTER: Possible spoof, return interface vx0 != arrival xl0: error UDP [192.168.1.1/137]->[63.94.115.61/53] xl0 l=49 Nov 19 07:51:00 FILTER: Possible spoof, return interface vx0 != arrival xl0: error UDP [192.168.1.1/137]->[63.94.115.61/53] xl0 l=49 Nov 19 07:50:59 FILTER: Possible spoof, return interface vx0 != arrival xl0: error UDP [192.168.1.1/137]->[63.94.115.62/53] xl0 l=49 Nov 19 07:50:57 FILTER: Possible spoof, return interface vx0 != arrival xl0: error UDP [192.168.1.1/137]->[63.94.115.62/53] xl0 l=49 Nov 19 07:50:56 FILTER: Possible spoof, return interface vx0 != arrival xl0: error UDP [192.168.1.1/137]->[63.94.115.62/53] xl0 l=49 vx0 is my external interface and xl0 is my protected interface. I don't even know where the heck 192.168.1.1 is coming from since the IP address of my protected interface is 192.168.0.1 and my two client IP's are 192.168.0.5 and 192.168.0.10. 63.94.115.61 is the IP address of a DNS server on my network which is in a separate location from where this 'spoofed' gnatbox is at. I really do NOT understand what the deal is here, especially with the unknown IP address. Any help in tracking this problem down would be most helpful. Christopher
