Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] AW: [FW-1] How to disable"local interface address spoofing" logg ing?

To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] How to disable"local interface address spoofing" logg ing?
From: Crist Clark <[email protected]>
Date: Tue, 21 Oct 2003 09:23:21 -0700
Organization: Globalstar Communications
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Jean-Francois Gobin wrote:
>
> Sniff on that network to look at the packets.
>
> What is the source address ? What is the destination address ?

FWIW, saw a ton of 127.0.0.1 sourced IP packets coming in from the
Internet for a few hours yesterday. They all looked something like,

  15:19:14.693234 127.0.0.1.80 > 207.88.aaa.bbb.1189: R [tcp sum ok] 0:0(0) ack 1 win 0 (ttl 118, id 5183, len 40)

That is, they all were TCP RST segments from port 80. The destination
port, the destination address, and the acknowledgement number varied
from packet to packet.

What was this? An attack? Seems unlikely. TCP RSTs with a source
address of the loopback... Nothing is ever going to get back to
the sender. Some kind of response to something going on on my network?
Not likely either. The destination addresses were frequently netblocks
with no Internet connectivity. My best guess is some kind of weird
backscatter from a spoofed attack?

Anyway, the point is what the original poster seeing is quite
possibly _real_. It is not a misconfiguration of his system. However,
I am unaware of a way to turn off logging for these packets. This
is a Checkpoint bug. They can be filtered from the log viewer (or
Smart Tracker or whatever marketing changed the name to this month).

> On Tue, 21 Oct 2003, Olaf Lange wrote:
>
> > Matteo Masserini schrieb:
> > > Thank you Dirk,
> > >
> > > we've already:
> > >
> > > - disabled logging in the topology
> > > - disabled logging in the SmartDefence
> > > - set to "false" all the parameters about spoofing in the Objects_5_0.C file
> > >
> > > with no results.
> > >
> > > We then applied Nokia Solution 3463 and the only result was the change from "local interface address spoofing" to "loopback address spoofing".
> > >
> > > Any other suggestion?
> > >
> > > Thanks.
> > > matteo
> > >
> > >
> > I guess your are missing your loopback interface.
> > I am not familiar with Nokia but there mus be a way to create your
> > looback device. On Linux you do it with
> > ifconfig lo inet 127.0.0.1 netmask 255.0.0.0 up
> >
> > Olaf
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> --
> Jean-Francois Gobin - Administrateur gobinjf.be
> http://www.gobinjf.be   mailto:[email protected]
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================


--
Crist J. Clark                               [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] AW: [FW-1] How to disable "local interface address spoofing" logg ing?
  - From: Jean-Francois Gobin <[email protected]>

Prev by Date: Re: [FW-1] Simple VPN Questoion
Next by Date: [FW-1] Permitting entire domains for http/ftp Norton Liveupdate
Previous by thread: Re: [FW-1] AW: [FW-1] How to disable "local interface address spoofing" logg ing?
Next by thread: [FW-1] DMZ W2K dom
Index(es):
- Date
- Thread