Security Incidents mailing list archives
Possible stateful filtering problem?
From: Security <security () zerouptime ch>
Date: Fri, 21 Feb 2003 11:29:16 +0100
First of all, I use FreeBSD with IPFilter and therefore also IPNAT for PAT/portmapping etc. I map my external server IPs on the external interface of my firewall and then bimap them to the servers in the DMZ, while filtering it through ipf rules. The third interface of the firewall goes to the LAN. I have one rule (and only this one rule) which allows Gnutella traffic to be forwarded from any external IPs to one internal (LAN) IP (my workstation). There is a corresponding IPNAT rule which portmaps this port to my PC. ipf: pass in quick on rl0 proto tcp from any to myhost port = 6346 flags S/SAFR keep state group 100 ipnat: rdr rl0 123.45.67.8/32 port 6346 -> myhost.mydomain.ch port 6346 tcp The example IP 123.45.67.8 would be the external IP of my firewall. But now I regularly get the following messages from my DMZ server (IP values changed):
Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:19384 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:19384 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:20927 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:20927 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22117 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22117 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22359 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22359 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22609 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22609 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22853 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22853 Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:25482
In the example above, my mailserver (.12) is affected, the packets are coming from my firewall (.1) through which those packets must pass. But my internal network now has a completely different IP range, lets say 192.168.1.0/24. And the port is only mapped to one IP of those, my PC. I suspect either a problem with the stateful filtering of IPFilter or it could also be my PC from the LAN which tries to connect to a badly configured Gnutella host which shows its LAN IP on the GnutellaNet, which again incidentially matches the IP of my mailserver in the DMZ. But I see those packets reports from my mail or webserver way too often, and most aggraviating: they are also reported when my Gnutella Client (Limewire) is not running. Further ideas? -- Jonas Nagel <fireball () zerouptime ch> ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
Current thread:
- Possible stateful filtering problem? Security (Feb 21)