Re: [Leaf-user] Explain these DENY's ???

Sat, 16 Jun 2001 07:07:39 -0700 

At 10:49 PM 6/15/01 -0700, Scott C. Best wrote:
>mds:
>       Huh. These are interesting:
>
>> Jun 15 23:50:55 bluetrout kernel: Packet log: input DENY eth0 PROTO=17
>> 192.168.0.2:137 a.b.c.d:137 L=78 S=0x00 I=1498 F=0x0000 T=107 (#11)
...
>       Now, the 192.168.x.y is clearly not unique to your LAN. 
>So, even though it's the same IP address as one you use, anyone on 
>the outside could forge a packet with this source IP address. In 
>fact, if someone was trying to be malicious, they might just try 
>and "stuff" a packet like this into your external interface. Just 
>to see if your firewall was setup at all correctly.
...

Assuming that these packets represent an attack, or that the address is
forged, is a bit much, given the paucity of detail in the original posting
about what eth0 is connected to. 

Over the months, back on the LRP list, we regularly saw postings about
firewall logs on cable-modem hookups that reported blocking NETBios packets
from private addresses. The LAN-like nature of cable-modem connections,
combined with a Murphy's-law assurance that subscribers will misconfigure
their setups in any way that is physically possible, all but guarantees that
private-address packets will "leak" onto cable-modem networks. (Check your
own logs, Scott -- I remember that you used to see these sorts of packets
floating around yourself.)

You are correct, though, that what is most important here is that the
firewall catches the packets properly. More generally, I'd encourage the
original poster to provide more information in his postings -- I read the
original message, but concluded that without any information about what the
interfaces were connected to, one could only offer wild guesses about the
source of the packets.


--
------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA                                    [EMAIL PROTECTED]        
----------------------------------------------------------------


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to