Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Possible stateful filtering problem?

From: Security <security () zerouptime ch>
Date: Fri, 21 Feb 2003 11:29:16 +0100
First of all, I use FreeBSD with IPFilter and therefore also IPNAT for
PAT/portmapping etc.

I map my external server IPs on the external interface of my firewall
and then bimap them to the servers in the DMZ, while filtering it
through ipf rules. The third interface of the firewall goes to the LAN.

I have one rule (and only this one rule) which allows Gnutella traffic
to be forwarded from any external IPs to one internal (LAN) IP (my
workstation). There is a corresponding IPNAT rule which portmaps this
port to my PC.

ipf:
pass in quick on rl0 proto tcp from any to myhost port =
6346 flags S/SAFR keep state group 100

ipnat:
rdr rl0 123.45.67.8/32 port 6346 -> myhost.mydomain.ch port 6346 tcp

The example IP 123.45.67.8 would be the external IP of my firewall.

But now I regularly get the following messages from my DMZ server (IP
values changed):


Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:19384
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:19384
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:20927
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:20927
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22117
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22117
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22359
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22359
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22609
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22609
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22853
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22853
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:25482


In the example above, my mailserver (.12) is affected, the packets are
coming from my firewall (.1) through which those packets must pass.

But my internal network now has a completely different IP range, lets
say 192.168.1.0/24. And the port is only mapped to one IP of those, my
PC.

I suspect either a problem with the stateful filtering of IPFilter or
it could also be my PC from the LAN which tries to connect to a badly
configured Gnutella host which shows its LAN IP on the GnutellaNet,
which again incidentially matches the IP of my mailserver in the DMZ.

But I see those packets reports from my mail or webserver way too
often, and most aggraviating: they are also reported when my Gnutella
Client (Limewire) is not running. 

Further ideas?

-- 
Jonas Nagel <fireball () zerouptime ch>


----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core
Previous By Date Next
Previous By Thread Next

Current thread: