Create an alias on the GNAT Box PRO interface with a 169.254.x.x/16 address. Create a Remote Access filter to block/nolog all traffic to this address.
Once the GNAT Box considers 169.254.x.x to be part of the PRO network, it will no longer consider this to be "possible spoof" traffic. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Emmanuel Cerisier [mailto:ecerisier@;nexgenfs.com] > Sent: Thursday, November 14, 2002 7:00 AM > To: [EMAIL PROTECTED] > Subject: [gb-users] howto filter some Possible spoofs alarms ? > > > Hi list, > > Here's the trick: > > I have configured my gnatboxes to create alarms for spoofed packets. > Fine. > But now I'm trying to get rid of this kind of messages: > > > > > > -------------------------------------------------------------- > --------------- > > NOTIFICATION TYPE: GNAT Box FILTER ALARM > > PRODUCT: GNAT Box GB-Flash > > VERSION: 3.2.5s > > NAME: [...] > > CONFIGURATION: EXTERNAL=x.x.x.x > > PROTECTED=y.y.y.y > > PSN=z.z.z.z > > > -------------------------------------------------------------- > --------------- > > ALARM NO: 1 > > DATE: Thu 2002-11-14 12:07:42 CET > > INTERFACE: PROTECTED (tx1) > > INTERFACE TYPE: Protected > > ALARM TYPE: Possible spoof > > IP PACKET: UDP > [169.254.130.21/137]-->[169.254.255.255/137] l=50 > > > [169.254.130.21/netbios-ns]-->[169.254.255.255/netbios-ns] > > > > DETAILED DESCRIPTION: > > > > Return interface for IP packet is different than arrival. > > > These are standard netbios broadcast packets sent by MS stack > for laptop > or workstations in DHCP that were booted *just before* > pluging the LAN > cable. > As no dhcp server can be contacted at boot time, they build their own > address in the 169.254.0.0/16 network (I think using the MAC > address to > calculate unique IP in the network) > > So nothing very scary so far... :) > > I tried to add a rule in the outbound filter to deny /nolog /noalarm > this kind of packets, but it seems that the gnatbox will check the > anti-spoofing rules before the outbound ones. > > Anyone experienced this problem ? > > Thanks a lot for your help, > > -- > Emmanuel. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/gb-users@;gta.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/gb-users@;gta.com
