Thread Info
  • State Not Answered
  • Replies 15 replies
  • Subscribers 0 subscribers
  • Views 3557 views
  • Users 0 members are here
Options
Suggested

[8.160][BUG][FIXED] internal network spoofed

RFCat_vk_01
Hi,
after much pain I have identified why my internal network could not connect to the ASG, but IP addresses were correctly assigned.

I have disabled "SPOOF" checking 
Network security -> firewall -> advanced -> protocol handling -> Spoof protection -> off

and my network is now happy.

Regards

Ian M
  • 0 
    Astaro Beta Report
    --------------------------------
    Version: 8.160
    Type: BUG
    State: TESTED/FIXED
    Reporter: RFCat_vk+
    Contributor: Robert Tausend
    MantisID: 16976
    Target version: 8.161
    Fixed in version: 8.161
    --------------------------------

  • 0
    Hi Ian,

    can you tell me a little bit more about your setup? Did you see any relevant lines in the logfiles?
  • 0 in reply to kbr
    Hi KBR,

    i have the same when i turn it on ...

    i have a lot of VLANs configured ...


    12:32:41 Spoofed packet TCP
    10.10.30.5 : 42866

    95.91.13.42 : 49787
    [SYN] len=60 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet ICMP
    10.10.100.12    

    10.10.10.111    
    len=84 ttl=64 tos=0x00 srcmac=0:c:29:93:5f:60 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.52 : 51767

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0[:D]:ed:40:98:6f dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.44 : 49502

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0:5:32[:D]2:fa[:D]4 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.43 : 50876

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0:5:32:ff:74:ac dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.100.30 : 2004

    131.159.10.157 : 50150
    [ACK SYN] len=52 ttl=64 tos=0x00 srcmac=40:61:86:96:e2:6 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.57 : 51338

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0:1b:54:ca:8c:67 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.121.11 : 123

    10.10.30.5 : 123
    len=76 ttl=64 tos=0x00 srcmac=0:26:f2:98:82:ff dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.52 : 51767

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0[:D]:ed:40:98:6f dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.5 : 38468

    188.75.185.185 : 27822
    [ACK PSH] len=54 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.44 : 49502

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0:5:32[:D]2:fa[:D]4 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.110.2 : 137

    10.10.110.255 : 137
    len=78 ttl=64 tos=0x00 srcmac=0:c:29:b1:43:9b dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.110.2 : 138

    10.10.110.255 : 138
    len=211 ttl=64 tos=0x00 srcmac=0:c:29:b1:43:9b dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.45 : 53197

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0:5:32:ff:72:5e dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 54105

    66.130.183.113 : 43128
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 54105

    114.45.188.23 : 3986
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 54105

    109.160.54.36 : 15487
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 31589

    213.20.170.36 : 21751
    len=31 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.5 : 33152

    62.213.146.241 : 32435
    [ACK] len=64 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 29348

    128.163.209.41 : 3879
    len=70 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 29348

    89.212.128.244 : 10432
    len=70 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 29348

    174.52.193.24 : 37231
    len=70 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.100.12 : 50139

    10.10.10.111 : 25
    [SYN] len=60 ttl=64 tos=0x00 srcmac=0:c:29:93:5f:60 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 18490

    111.240.88.143 : 55034
    len=77 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 18490

    174.52.193.24 : 37231
    len=77 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 18490

    46.42.18.103 : 61572
    len=77 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.10.102 : 63925

    192.203.230.10 : 53
    len=71 ttl=128 tos=0x00 srcmac=0:c:29:89:71:5a dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.10.102 : 63903

    8.8.4.4 : 53
    len=72 ttl=128 tos=0x00 srcmac=0:c:29:89:71:5a dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 10660

    70.234.133.3 : 58478
    len=73 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 10660

    147.156.2.86 : 17614
    len=73 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet UDP
    10.10.30.5 : 10660

    24.230.220.187 : 31949
    len=73 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:41 Spoofed packet TCP
    10.10.30.5 : 38468

    188.75.185.185 : 27822
    [ACK PSH] len=54 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet TCP
    10.10.30.5 : 60252

    95.91.13.42 : 443
    [SYN] len=60 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet ICMP
    10.10.100.12    

    10.10.10.111    
    len=84 ttl=64 tos=0x00 srcmac=0:c:29:93:5f:60 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 31589

    66.130.183.113 : 43128
    len=67 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 31589

    84.198.39.74 : 38781
    len=67 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 31589

    61.228.124.38 : 1084
    len=67 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet TCP
    10.10.30.5 : 56432

    95.91.13.42 : 80
    [SYN] len=60 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 24455

    82.241.61.6 : 35466
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 24455

    186.32.133.55 : 28786
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 24455

    149.13.32.56 : 33033
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet TCP
    10.10.10.111 : 22446

    117.206.129.23 : 5938
    [ACK PSH] len=45 ttl=128 tos=0x00 srcmac=0:c:29:18:83:4c dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 54269

    75.57.78.254 : 9693
    len=76 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 54269

    89.176.88.106 : 34835
    len=76 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 54269

    159.149.71.48 : 47791
    len=76 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.10.101 : 55358

    10.20.10.10 : 161
    len=106 ttl=128 tos=0x00 srcmac=0:c:29:ac:1f:c5 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 48663

    89.178.17.236 : 26015
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 48663

    210.238.151.142 : 32461
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 48663

    190.191.12.17 : 44679
    len=71 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet TCP
    10.10.30.43 : 50876

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0:5:32:ff:74:ac dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 48649

    126.130.89.197 : 4871
    len=70 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 48649

    125.230.53.86 : 26383
    len=70 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 48649

    95.221.124.187 : 42591
    len=70 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet TCP
    10.10.30.57 : 51338

    10.10.30.1 : 2000
    [SYN] len=44 ttl=64 tos=0x00 srcmac=0:1b:54:ca:8c:67 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet UDP
    10.10.30.5 : 60860

    10.10.10.101 : 53
    len=88 ttl=64 tos=0x00 srcmac=0:1c:c0[:D]0:14:b7 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet TCP
    10.10.122.102 : 50155

    10.10.122.1 : 2712
    [ACK PSH] len=112 ttl=64 tos=0x00 srcmac=0:1a:8c:7:a3:88 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Spoofed packet TCP
    10.10.10.101 : 61051

    217.93.78.250 : 80
    [ACK] len=52 ttl=128 tos=0x00 srcmac=0:c:29:ac:1f:c5 dstmac=0:1a:8c:f0:4d:80
    12:32:42 Default DROP UDP
    93.104.180.94 : 51782


  • 0 in reply to Robert Tausend
    Hi kbr,
    I have 2 vlans on an intel Pro 100/1000 desktop nic.

    I was seeing similar to what Robert has posted. I can post extracts from th elog if required.

    Ian M
  • 0
    Hi Ian, yes please post your log extracts too.
  • 0 in reply to kbr
    Hi kbr,
    this will be the last one for tonight, it is after midnight and alarm goes off at 6am.

    2011:03:02-12:34:05 cats-kingdom ulogd[5563]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0.10" srcmac="0:1a:8c:7:95:78" dstmac="0:1b:21:24:c5:20" srcip="192.168.10.210" dstip="1.2.3.4" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="33518" dstport="2712" tcpflags="SYN" 
    2011:03:02-12:34:06 cats-kingdom ulogd[5563]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0.111" srcmac="0:e:8:cd:b7:cb" dstmac="0:1b:21:24:c5:20" srcip="192.168.111.218" dstip="125.213.99.991" proto="17" length="562" tos="0x08" prec="0x60" ttl="250" srcport="5060" dstport="5060" 
    2011:03:02-12:34:08 cats-kingdom ulogd[5563]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0.10" srcmac="0:c0:2[:D]e:cf:b2" dstmac="0:1b:21:24:c5:20" srcip="192.168.10.12" dstip="192.168.10.255" proto="17" length="229" tos="0x00" prec="0x00" ttl="30" srcport="138" dstport="138" 
    2011:03:02-12:34:08 cats-kingdom ulogd[5563]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0.10" srcmac="0:1a:8c:7:95:78" dstmac="0:1b:21:24:c5:20" srcip="192.168.10.210" dstip="1.2.3.4" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="33518" dstport="2712" tcpflags="SYN" 
    2011:03:02-12:34:10 cats-kingdom ulogd[5563]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0.111" srcmac="0:e:8:cd:b7:cb" dstmac="0:1b:21:24:c5:20" srcip="192.168.111.218" dstip="125.213.99.991" proto="17" length="562" tos="0x08" prec="0x60" ttl="250" srcport="5060" dstport="5060" 
    2011:03:02-12:34:14 cats-kingdom ulogd[5563]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0.111" srcmac="0:e:8:cd:b7:cb" dstmac="0:1b:21:24:c5:20" srcip="192.168.111.218" dstip="125.213.99.991" proto="17" length="562" tos="0x08" prec="0x60" ttl="250" srcport="5060" dstport="5060" 
    Ian M
  • 0
    additionally, i'd like to know whether this happens with normal or strict (or both settings)
  • 0
    i tried to set it to strickt now i cant reach the firewall at all, any hint how to set this back via console?

    Robert
Cookie Information Banner