Hi,
I have a new setup (4.021, still demo) and I noticed a baffling
situation in the packet filter log:
A user connected a laptop in the LAN side, and got a
IP form (separate) DHCP. Initial broadcast was of course log-dropped
by ASL. All fine.
After that a strange IP (private, but not part of our LAN) was
calling from the LAN interface to server on another (unknown)
private subnet. After a while, the caller switched to an another
ip and reached for yet another server, this time a public one.
And all traffic was 67:68 DHCP.
The latter caller ip was the ip of the wireless connection in the
Windows XP laptop! So apparently the XP went through recent
IPs it had had for the wireless connection in order to establish
a currently valid IP. But the traffic went to the LAN-wire!
Ok, I have my personal opinions about certain opera**** systems,
and thus accept the fact that things happen.
However, this incident lead to an another observation:
The SPOOF_DROP rules in the nat PREROUTING table
generated by ASL look odd to me.
The rules drop from other interfaces the subnets assigned to
one interface. e.g. LAN_IF has LAN_IP and LAN_NET behind it.
=> all other interfaces drop all packets with source LAN_NET/LAN_IP.
Which makes sense. Those would be spoofs anyhow.
But for the LAN I would like to be paranoid, and only allow
traffic from LAN_NET. I just cannot figure out how to set up
that rule with the WebAdmin:
-i $LAN_IF -s ! $LAN_NET -j DROP
Yours,
Jukka Lehtonen
This thread was automatically locked due to age.