Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 1710 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NETBIOS Broadcasts Improperly(?) Reported as Spoofed

Paul Dugas

Current SG135 UTM9 machine connected to internal LAN (172.16.199.1/24) on eth0 and WAN on eth1.  The lag0 interface includes eth2-eth5.  No IP on lag0 but there are a few VLAN interfaces on top of it - i.e. lag0.200, lag0.201, etc.  The 20x VLANs are using 172.16.20x.1/24 subnets and the firewall is .1. Spoof Protection under Firewall > Advanced is set to Normal.

I have a NAS appliance running Samba under the hood an FreeBSD.  It is connected to the LAN and also has interfaces on the same networks as the firewall's lag0.20x interfaces.  I'm seeing regular broadcasts from the NAS (172.16.199.50:138→172.16.199.255:138) ending up in my firewall log.

I've logged into the firewall and sniffed traffic on different interfaces looking for these packets and I only ever see them on the eth0 interface where I expect them.  Why is the firewall improperly (IMHO) reporting these as spoofed? 



This thread was automatically locked due to age.
Parents
  • 0

    sure you can't find these traffic at the false interface?

    BSD use strange routing and i see similar already.

    Please post the log with spoofing entries.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I'm seeing the packets in the output from this about the same time they appear in the Live Log for the Firewall.

    fw:/root # tcpdump -i eth0 host 172.16.199.255

     

    I'm not seeing the packets in other terminal windows running these commands at the same time.

    tcpdump -i lag0.200 host 172.16.199.255

    tcpdump -i lag0.201 host 172.16.199.255

    tcpdump -i lag0.202 host 172.16.199.255

    I'm wondering now if a packet with that address would even get past the kernel driver now that I think about it.

    Nonetheless, I got onto the NAS and sniffed the same way.  I'm seeing the outbound broadcast packets on it's LAN interface but am never seeing a packet with that IP on any of the VLAN interfaces. 

    Somewhat related, I'm seeing "Spoofed packet" entries in the logs for NTP traffic from some internal hosts to the firewall at 172.16.199.1:123.  Again, that traffic is coming from what to me are perfectly valid hosts and similar sniffing suggests the traffic is on the correct interface.

    Odd...

Reply
  • 0 in reply to dirkkotte

    I'm seeing the packets in the output from this about the same time they appear in the Live Log for the Firewall.

    fw:/root # tcpdump -i eth0 host 172.16.199.255

     

    I'm not seeing the packets in other terminal windows running these commands at the same time.

    tcpdump -i lag0.200 host 172.16.199.255

    tcpdump -i lag0.201 host 172.16.199.255

    tcpdump -i lag0.202 host 172.16.199.255

    I'm wondering now if a packet with that address would even get past the kernel driver now that I think about it.

    Nonetheless, I got onto the NAS and sniffed the same way.  I'm seeing the outbound broadcast packets on it's LAN interface but am never seeing a packet with that IP on any of the VLAN interfaces. 

    Somewhat related, I'm seeing "Spoofed packet" entries in the logs for NTP traffic from some internal hosts to the firewall at 172.16.199.1:123.  Again, that traffic is coming from what to me are perfectly valid hosts and similar sniffing suggests the traffic is on the correct interface.

    Odd...

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML