Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 1759 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IP Spoofing and 7-octet MAC

lg_03
I'm getting log messages like this:
IP-SPOOFING Drop: IN=eth2 OUT= MAC=00:02:b3:bb:4c:2b:00:50:ba:bc:73:08:08:00 SRC=X.X.X.X DST=192.41.162.30 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=61893 PROTO=UDP SPT=1381 DPT=53 LEN=43 

Looks like MAC addresses are 7-octet entities, what gives?


This thread was automatically locked due to age.
Parents
  • 0
    This looks like the system is doing a DNS (DPT=53)Broadcast. That would explain the seven octet entry.

    The last octet is for broadcast to the network
  • 0 in reply to lanman
    Still can't make things work. Live Packet Log reports MAC addresses split on a faulty boundary, which makes me think something i radically wrong here, either in my setup or in the software.
    Using /28-net on outside I/F, DMZ I/F is on a /29-net subnet (lower half of the /28-net), Proxy ARP is enabled. Can't see any PUB entries in the ARP-tables, though. Machines in the DMZ net are connected through a small 8-port switch.
    This setup works fine in an old ipchains config.
  • 0 in reply to lg_03
    If the DMZ is on a /29 within the net range of the Ext IF /28 they are on the same network, which may be causing routing loops. Try puting the DMZ on a private network and using DNAT.
  • 0 in reply to lanman
    Tnx, I'll try reorganizing my network. Unfortunately, I'll have to do a live firewall swap, which makes assigning DNAT a bit awkward. Virtual servers to reconfigure etc.
Reply Children