Firewall Wizards mailing list archives
RE: Re: Wayyy too many spoofed packets
From: "Chris de Vidal" <chris () devidal tv>
Date: Fri, 21 Nov 2003 23:52:41 -0500 (EST)
Frank Knobbe said:
I don't see two interfaces in the info you provided, I only see one, eth0. There is no outside. What you see are packets being logged on that eth0 interface OUTBOUND, meaning from your box to the network.
Yeah I was using the wrong phrase; I meant out on the network. I only have one interface; the firewall is iptables on a Samba server, nothing more. Packets coming from the network in through eth0 should NOT claim to have my IP. This is spoofing; only packets going outbound should have my IP. That's why I'm confused about the number of packets (unless I'm being hacked; more likely I've just got a misconfiguration). I assume this rule is mostly working correctly, since it doesn't block 100% of outbound packets with my IP and it doesn't block 100% of packets inbound through eth0. It only blocks packets coming in from the network through eth0 claiming to have my IP. Only packets going out to the network should have my IP, and they only travel the OUTPUT chain, where the -i flag doesn't apply. So why do I see so many inbound packets from the network coming through eth0 with my IP? The only explaination that makes sense is a router somewhere rebroadcasting packets...
In your setup it seems that you don't allow broadcast from your box to the network. All packets with a broadcast destination seem to get filtered. Broadcasts that your box sends (like NetBIOS name broadcasts).
No, I allow broadcasts in both directions... /dev/idal _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- Message not available
- RE: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Mikael Olsson (Nov 21)
- <Possible follow-ups>
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Frank Knobbe (Nov 21)
- RE: Re: Wayyy too many spoofed packets Bill Royds (Nov 21)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Daniel Linder (Nov 25)
- RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 25)