Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 2 subscribers
  • Views 19574 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange Masquerading Issue

Goldy_01
Hi.

Today I've got a call from a colleague.
From what he says - he can see in his firewall, the internal source address of some (not all) of the stations from my Lan network which connect to his servers.
Since my entire internal network doing Masquerading, I wonder how this could be.
As far as I know, only DNat transmit the source address.

Any Idea?
[:S]


This thread was automatically locked due to age.
  • 0
    Hi, Goldy,

    Check to see if you have any firewall rule like 'Internal (Network) -> Any -> Colleague : Allow'.  If the connection tracker thinks a conversation is finished, a rule that can allow the traffic out.  Take a look at https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41243.

    Cheers - Bob
  • 0
    Hi.
    Network) -> Any -> Colleague : Allow'. - Couldn't find any.
    I turned on spoofing protection and I'll see tomorrow.

    Thanks.
  • 0
    Hi Bob.
    we are still having this issue.
    Any idea?
  • 0
    Did you read that entire thread?  Depending on what's getting out, you might be able to increase one of the conntrack timeouts.

    Cheers - Bob
  • 0
    Hi Bob.

    It seems they couldn't find any solution for the other thread too.
    I guess I'll have to open a case in Sophos...
  • 0
    Goldy, how about a sample
    source[:P]ort destination[:P]ort protocol
    of what gets through?

    Cheers - Bob
  • 0
    12:07:55.910639 IP *.*.*.53.51021 > *.*.*.*.static.050.net.https: R 2349803767:2349803767(0) win 0

    To any of you with production system,  who want to check it too -

     From SSH (Puty) Run the command:
    tcpdump -i eth1 (change to your external Nic)

    In putty – change to all session, and define the place to keep the log, after a few minutes, stop and look for internal IPs.
  • 0
    Hi,

    Specifying the local network(s) in the tcpdump command would limit the output to what you are looking for, e.g.

    sudo tcpdump -nn -p -i eth0 src or dst net 192.168.0.0/16

    assuming eth0 is external and all internal nets are in the 192.168.x.x space.

    the '-p' disables promiscuous mode, that is not needed for listening to your own traffic.

    Barry
  • 0
    Just started at home (UTM 9.106017), and already seeing a bunch of packets 'leaking':

    loginuser@fw:/home/login > sudo tcpdump -nn -p -i eth0 src or dst net 192.168.0.                                                                                                                   0/16
    root's password:
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    10:44:51.227769 IP 192.168.212.116.49068 > 157.56.244.134.993: FP 4178359632:417                                                                                                                   8359706(74) ack 2669006099 win 1641

    10:48:09.093235 IP 192.168.212.116.49068 > 157.56.244.134.993: FP 0:74(74) ack 1                                                                                                                    win 1641
    10:49:58.732497 IP 192.168.212.116.48631 > 176.34.235.44.80: F 2422316151:242231                                                                                                                   6151(0) ack 3874391965 win 245 
    10:49:58.733566 IP 192.168.212.116.51439 > 50.112.102.20.80: F 1957015302:195701                                                                                                                   5302(0) ack 2526747354 win 607 
    10:49:59.306467 IP 192.168.212.116.51439 > 50.112.102.20.80: F 0:0(0) ack 1 win                                                                                                                    607 
    10:49:59.307564 IP 192.168.212.116.48631 > 176.34.235.44.80: F 0:0(0) ack 1 win                                                                                                                    245 
    10:49:59.934775 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:49:59.935669 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.080001 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.080876 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.082469 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.083364 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.084220 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.183554 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.184438 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.185298 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.186219 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.187028 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.187890 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.188769 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.189623 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.190478 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.191354 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.192211 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.193082 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.193944 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.194840 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.195673 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.196533 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.197405 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.198266 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.199133 IP 192.168.212.116.57446 > 74.125.224.242.80: R 2500265296:25002                                                                                                                   65296(0) win 0
    10:50:00.238113 IP 192.168.212.116.51439 > 50.112.102.20.80: F 0:0(0) ack 1 win                                                                                                                    607 
    10:50:00.458902 IP 192.168.212.116.48631 > 176.34.235.44.80: F 0:0(0) ack 1 win                                                                                                                    245 
    10:50:02.261126 IP 192.168.212.116.51439 > 50.112.102.20.80: F 0:0(0) ack 1 win                                                                                                                    607 
    10:50:02.754703 IP 192.168.212.116.48631 > 176.34.235.44.80: F 0:0(0) ack 1 win                                                                                                                    245 
    10:50:09.372146 IP 192.168.212.116.33549 > 74.125.224.64.443: F 4197301984:41973                                                                                                                   01984(0) ack 2963584267 win 485 
    10:50:14.263765 IP 192.168.212.116.51439 > 50.112.102.20.80: F 0:0(0) ack 1 win                                                                                                                    607 
    10:50:16.429270 IP 192.168.212.116.48631 > 176.34.235.44.80: F 0:0(0) ack 1 win                                                                                                                    245 
    10:50:19.444505 IP 192.168.212.116.49068 > 157.56.244.134.993: FP 0:74(74) ack 1                                                                                                                    win 1641
    10:50:59.757259 IP 192.168.212.116.51439 > 50.112.102.20.80: F 0:0(0) ack 1 win                                                                                                                    607 
    10:51:04.201333 IP 192.168.212.116.48631 > 176.34.235.44.80: F 0:0(0) ack 1 win                                                                                                                    245 
    10:53:05.862966 IP 192.168.212.116.51439 > 50.112.102.20.80: F 0:0(0) ack 1 win                                                                                                                    607 
    10:54:08.297573 IP 192.168.212.116.48631 > 176.34.235.44.80: F 0:0(0) ack 1 win                                                                                                                    245 


    The 192.168.212.116 device is my Android phone, which is connected to my AP30. the .212 net is a wireless only net (not bridge-to-VLAN), and has a Masquerading rule.

    Barry
  • 0
    Hi Barry.
    Thanks for confirm it (I thought it also  might be something to do with my configuration).
    Would you also consider it as a security issue?