RE: Re: Wayyy too many spoofed packets

["Chris de Vidal" <chris () devidal tv>]

Frank Knobbe said:
> I don't see two interfaces in the info you provided, I only see one,
> eth0. There is no outside. What you see are packets being logged on that
> eth0 interface OUTBOUND, meaning from your box to the network.

Yeah I was using the wrong phrase; I meant out on the network.  I only
have one interface; the firewall is iptables on a Samba server, nothing
more.

Packets coming from the network in through eth0 should NOT claim to have
my IP.  This is spoofing; only packets going outbound should have my IP. 
That's why I'm confused about the number of packets (unless I'm being
hacked; more likely I've just got a misconfiguration).

I assume this rule is mostly working correctly, since it doesn't block
100% of outbound packets with my IP and it doesn't block 100% of packets
inbound through eth0.  It only blocks packets coming in from the network
through eth0 claiming to have my IP.  Only packets going out to the
network should have my IP, and they only travel the OUTPUT chain, where
the -i flag doesn't apply.

So why do I see so many inbound packets from the network coming through
eth0 with my IP?  The only explaination that makes sense is a router
somewhere rebroadcasting packets...

> In your setup it seems that you don't allow broadcast from your box to the
> network. All packets with a broadcast destination seem to get filtered.
> Broadcasts that your box sends (like NetBIOS name broadcasts).

No, I allow broadcasts in both directions...

/dev/idal
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards