Security Basics mailing list archives

Re: interpreting pfsense(ntop) on wan

From: "J. von Balzac" <jhm.balzac () gmail com>
Date: Tue, 20 Dec 2011 01:09:05 +0100

I just read this back, maybe I should clarify myself.

I was talking about interpreting ntop that runs in the pfsense environment.

An example using RFC 5737 "fictitious" addresses) :

* IP of the pfsense box is 198.51.100.37/24. This box is connected to
a "hostile" /24 subnet together with other customers of my ISP. I see
their ARP packets and other stuff; netbios, smb, STP, ...

* Ntop has enabled promiscuous mode on the WAN interface. In Summary
-> hosts I see the IP 203.0.113.25, obviously not on my subnet. When I
click that IP and scroll down to Last contacted peers, I see no IP
that belongs to myself but one that is in my subnet, e.g.
198.51.100.123. Kind of like this:

Packet Statistics
TCP Connections Attempted: 10; directed to: 198.51.100.123 and
198.51.100.210; rcvd from: 0
TCP Connections Established: 4 [40%]; directed to: 198.51.100.123 and
198.51.100.210, rcvd from: 0
TCP Flags: SYN; pkts sent: 10 198.51.100.123 and 198.51.100.210, pkts rcvd: 0

Last contacted peers:
Sent to 198.51.100.123
Sent to 198.51.100.210
Total Contacts  3  <- 3?

So how does one interpret this? I'm at a loss. It looks like these two
hosts are sending packets via me. Or is 203.0.113.25 sending packets
to those other hosts via me?

By the way, this all occurs even after I have added a filter to the
WAN port of pfsense: "if source and dest are not my IPs then block
it".

Please help me understand this and maybe even fix the problem, if there is one.

Thanks,
Jan

On 19 December 2011 05:33, J. von Balzac <jhm.balzac () gmail com> wrote:

well, that's certainly not easy. One thing in particular caught my attention.

In summary -> hosts I sometimes notice foreign addresses (i.e. unknown
to me). When I view their page and then look at either "Packet
Statistics" or "Last Contacted Peers", I see foreign addresses there,
too. Some are other boxes in my ISPs subnet, others are not.

Have I accidentally configured the pfsense box to route packets? Am I
misinterpreting? And finally, as an aside, are "you guys" happy with
pfsense?

thank you


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

interpreting pfsense(ntop) on wan J. von Balzac (Dec 19)
- Re: interpreting pfsense(ntop) on wan J. von Balzac (Dec 20)
- <Possible follow-ups>
- Re: Re: interpreting pfsense(ntop) on wan securityfocus (Dec 20)
- interpreting pfsense(ntop) on wan securityfocus (Dec 22)