Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 4250 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.002]Spoofed packets

RFCat_vk_01
Hi,
why does the UTM see devices on my second address on one external interface as spoofed packets?
I have a modem that requests ntp from the external interface additional address.


19:49:47 Spoofed packet UDP 10.99.99.250 : 3072 → 10.99.99.1 : 123 len=76 ttl=64 tos=0x00 srcmac=d8:5d:4c:f2:35:e4 dstmac=4c:72:b9:24:e0:21[FONT=monospace]
19:49:53 Spoofed packet UDP 10.99.99.250 : 3072 → 10.99.99.1 : 123 len=76 ttl=64 tos=0x00 srcmac=d8:5d:4c:f2:35:e4 dstmac=4c:72:b9:24:e0:21[/FONT]
Ian


This thread was automatically locked due to age.
  • 0
    Hi, Ian,

    What subnet mask do you have on that interface?  Is 'Spoof protection' "normal" or "Strict?"

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    RFCat_vk,

    Question, Do you have an external HDD-drive with LAN connection in your network? 
    Because I have the same issues also. And the IP addresses that are killing me are linked to both External Network drives. 

    Problem is.... How to get rid of these spoofs..
  • 0 in reply to HMaster
    Hi folks,
    the source address is a modem/router in bridge mode. The mask at both ends is /24.

    Spoof set to normal.

    Ian
  • 0
    Ian, what happens if you make that Additional Address a /32?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,
    the modem didn't like a /32 for an internal address. I tried a /30 and now the modem refuses to talk to me.
    Looks like a cable directly to the modem to fix the access problem.

    I have tried making the gateway on the modem the same address as itself, but the UTM still rejects the NTP requests as spoofed.

    Ian
Cookie Information Banner