Security Basics mailing list archives
Re: interpreting pfsense(ntop) on wan
From: "J. von Balzac" <jhm.balzac () gmail com>
Date: Tue, 20 Dec 2011 01:09:05 +0100
I just read this back, maybe I should clarify myself. I was talking about interpreting ntop that runs in the pfsense environment. An example using RFC 5737 "fictitious" addresses) : * IP of the pfsense box is 198.51.100.37/24. This box is connected to a "hostile" /24 subnet together with other customers of my ISP. I see their ARP packets and other stuff; netbios, smb, STP, ... * Ntop has enabled promiscuous mode on the WAN interface. In Summary -> hosts I see the IP 203.0.113.25, obviously not on my subnet. When I click that IP and scroll down to Last contacted peers, I see no IP that belongs to myself but one that is in my subnet, e.g. 198.51.100.123. Kind of like this: Packet Statistics TCP Connections Attempted: 10; directed to: 198.51.100.123 and 198.51.100.210; rcvd from: 0 TCP Connections Established: 4 [40%]; directed to: 198.51.100.123 and 198.51.100.210, rcvd from: 0 TCP Flags: SYN; pkts sent: 10 198.51.100.123 and 198.51.100.210, pkts rcvd: 0 Last contacted peers: Sent to 198.51.100.123 Sent to 198.51.100.210 Total Contacts 3 <- 3? So how does one interpret this? I'm at a loss. It looks like these two hosts are sending packets via me. Or is 203.0.113.25 sending packets to those other hosts via me? By the way, this all occurs even after I have added a filter to the WAN port of pfsense: "if source and dest are not my IPs then block it". Please help me understand this and maybe even fix the problem, if there is one. Thanks, Jan On 19 December 2011 05:33, J. von Balzac <jhm.balzac () gmail com> wrote:
well, that's certainly not easy. One thing in particular caught my attention. In summary -> hosts I sometimes notice foreign addresses (i.e. unknown to me). When I view their page and then look at either "Packet Statistics" or "Last Contacted Peers", I see foreign addresses there, too. Some are other boxes in my ISPs subnet, others are not. Have I accidentally configured the pfsense box to route packets? Am I misinterpreting? And finally, as an aside, are "you guys" happy with pfsense? thank you
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- interpreting pfsense(ntop) on wan J. von Balzac (Dec 19)
- Re: interpreting pfsense(ntop) on wan J. von Balzac (Dec 20)
- <Possible follow-ups>
- Re: Re: interpreting pfsense(ntop) on wan securityfocus (Dec 20)
- interpreting pfsense(ntop) on wan securityfocus (Dec 22)