Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Wayyy too many spoofed packets

From: "Chris de Vidal" <chris () devidal tv>
Date: Fri, 21 Nov 2003 19:13:58 -0500 (EST)
Jeroen De Corel said:

What do you mean with packets claiming to be your ip address: a public ip
address on the internal network?


I mean this:
Network  ------------------------  eth0
172.19.255.255                     172.19.2.200

Packet (from 172.19.2.200) ----->  eth0 (should not ever happen, but
happened 144 times yesterday out of millions of packets)


You wouldn't happen to be running vmware in the background, would you?


Nope.


Someone on this list explained that this is probably happening:
eth0  -->  Packet from 172.19.2.200 to 172.19.255.255 -->  network
                                                           |
                                                           |
eth0  <----------------------------------------------------+
(listening to all traffic destined for 172.19.255.255)

So I'm probably getting my own broadcast traffic back.  But I wasn't
expecting that :-)

The solution is to not flag broadcast packets with my IP coming in.  I
think I can add ! -s 172.19.255.255 to my rule.

Thanks for the help!
/dev/idal
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: