Ray Olszewski wrote:
>
> At 10:49 PM 6/15/01 -0700, Scott C. Best wrote:
> >mds:
> > Huh. These are interesting:
> >
> >> Jun 15 23:50:55 bluetrout kernel: Packet log: input DENY eth0 PROTO=17
> >> 192.168.0.2:137 a.b.c.d:137 L=78 S=0x00 I=1498 F=0x0000 T=107 (#11)
> ...
> > Now, the 192.168.x.y is clearly not unique to your LAN.
> >So, even though it's the same IP address as one you use, anyone on
> >the outside could forge a packet with this source IP address. In
> >fact, if someone was trying to be malicious, they might just try
> >and "stuff" a packet like this into your external interface. Just
> >to see if your firewall was setup at all correctly.
> ...
>
> Assuming that these packets represent an attack, or that the address is
> forged, is a bit much, given the paucity of detail in the original posting
> about what eth0 is connected to.
>
> Over the months, back on the LRP list, we regularly saw postings about
> firewall logs on cable-modem hookups that reported blocking NETBios packets
> from private addresses. The LAN-like nature of cable-modem connections,
> combined with a Murphy's-law assurance that subscribers will misconfigure
> their setups in any way that is physically possible, all but guarantees that
> private-address packets will "leak" onto cable-modem networks. (Check your
> own logs, Scott -- I remember that you used to see these sorts of packets
> floating around yourself.)
>
> You are correct, though, that what is most important here is that the
> firewall catches the packets properly. More generally, I'd encourage the
> original poster to provide more information in his postings -- I read the
> original message, but concluded that without any information about what the
> interfaces were connected to, one could only offer wild guesses about the
> source of the packets.
Sorry, I did not see the relevance -- T-1 -- we own a.b.c.d/24.
I was not trying to make a mountain out of a molehill. Nevertheless, it
is important for all InterNet users to understand that these types of
``encroachment'' can come as wolves in sheep clothing ;> Regardless,
T-1 or cable modem, how do these warrant dismissal?
In fact, I still fail to see reason to arbitrarily *ignore* these
things, if for no other reason than, I *cannot* know whence they came .
. .
What am I missing?
--
Best Regards,
mds
mds resource
888.250.3987
"Dare to fix things before they break . . . "
"Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . . "
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
