Re: [FW-1] Question about Spoofing and too many internal hosts

Dpto. de Internet- Jose J. Pedrajas Tue, 03 Feb 2004 08:36:45 -0800

Hello Ken,

firstly, thanks for your observation. I have done the changes you suggest
me, however the problem go on present at my system :


        - When someone do a ping to the broadcast IP of qe1
(xxx.xxx.xxx.16), the Log Viewer tell me that the icmp packet try to come in
through the qe2 interface.

        - When someone do a ping to the broadcast IP of qe2
(xxx.xxx.xxx.32), the Log Viewer tell me that the icmp packet try to come in
through the qe1 interface.

the results are :
        1- FW drop the packet because it think that the source ip is
spoofed.
        2- After some minutes in the syslog I get the typical messages of
"too many internal hosts detected".

I think that the 2nd problem is a consequence of the 1st problem.

I have observed that my ARP table has the following 2 lines :

    qe1    xxx.xxx.xxx.16         255.255.255.255  SP      ..:..:..:..:..:84
    qe2    xxx.xxx.xxx.16         255.255.255.255
..:..:..:..:..:84

Is it normal that the same MAC address appears in 2 diferent interfaces? If
not, how can I resolve the problem?

I have been sniffing my network card for the broadcasts packets and the only
2 packets I saw were :

Using device /dev/qe (promiscuous mode)
ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 1 arrived at 9:48:35.39
ETHER:  Packet size = 74 bytes
ETHER:  Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER:  Source      = ..:..:..:..:..:84, Sun          ====================>
The MAC of qe1
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 60 bytes
IP:   Identification = 3387
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 1 seconds/hops
IP:   Protocol = 1 (ICMP)
IP:   Header checksum = a227
IP:   Source address = 81.41.214.217, 217.Red-81-41-214.pooles.rima-tde.net
IP:   Destination address = xxx.xxx.xxx.16, xxx.xxx.xxx.xxx.16
IP:   No options
IP:
ICMP:  ----- ICMP Header -----
ICMP:
ICMP:  Type = 8 (Echo request)
ICMP:  Code = 0
ICMP:  Checksum = 375c
ICMP:

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 2 arrived at 9:48:40.18
ETHER:  Packet size = 74 bytes
ETHER:  Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER:  Source      = ..:..:..:..:..:85, Sun          ====================>
The MAC of qe2
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 60 bytes
IP:   Identification = 3395
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 1 seconds/hops
IP:   Protocol = 1 (ICMP)
IP:   Header checksum = a20f
IP:   Source address = 81.41.214.217, 217.Red-81-41-214.pooles.rima-tde.net
IP:   Destination address = yyy.yyy.yyy.32, yyy.yyy.yyy.32
IP:   No options
IP:
ICMP:  ----- ICMP Header -----
ICMP:
ICMP:  Type = 8 (Echo request)
ICMP:  Code = 0
ICMP:  Checksum = 365c
ICMP:


Could you help me, please?


Greetings,

Jose

----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 02, 2004 9:50 PM
Subject: Re: [FW-1] Question about Spoofing and too many internal hosts


Jose,

You mention that in the interface tab of the gateway object the IP
Addresses for the interfaces are as follows:

* Interfaces tab :

    name / Address / Mask / Anti spoof
    qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
    qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
    qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net


Based upon your netmasking, the displayed addresses are network addresses
not host addresses.  I think that they should be:

* Interfaces tab :

    name / Address / Mask / Anti spoof
    qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
    qe1 / xxx.xxx.xxx.17 / 255.255.255.240 / This net
    qe2 / xxx.xxx.xxx.33 / 255.255.255.240 / This net

Did you do a get "Interfaces with Topology" under the Topology tab of the
gateway object?

Regards,

Ken...





             "Dpto. de
             Internet- Jose J.
             Pedrajas"                                                  To
             <[EMAIL PROTECTED]         [EMAIL PROTECTED]
             P.ES>                     INT.COM
             Sent by: Mailing                                           cc
             list for
             discussion of                                         Subject
             Firewall-1                [FW-1] Question about Spoofing and
             <FW-1-MAILINGLIST         too many internal hosts
             @AMADEUS.US.CHECK
             POINT.COM>


             03/02/2004 04:57


             Please respond to
             Mailing list for
               discussion of
                Firewall-1
             <FW-1-MAILINGLIST
             @AMADEUS.US.CHECK
                POINT.COM>






Hi,

I have a Sun machine with FW-1 and 3 interfaces which are configured as
follows :

    qe0: inet xxx.xxx.xxx.2  netmask fffffff0 broadcast xxx.xxx.xxx.15
    qe1: inet xxx.xxx.xxx.17 netmask fffffff0 broadcast xxx.xxx.xxx.31
    qe2: inet xxx.xxx.xxx.33 netmask fffffff0 broadcast xxx.xxx.xxx.47


I have configured an object for the above machine at FW-1 as follows :

* General tab :
    IP :   xxx.xxx.xxx.2
    Location :  internal
    Type :  gateway
    Firewall-1 installed option :  check

* Interfaces tab :

    name / Address / Mask / Anti spoof
    qe0 / xxx.xxx.xxx.2 / 255.255.255.240 / Others + broadcast
    qe1 / xxx.xxx.xxx.16 / 255.255.255.240 / This net
    qe2 / xxx.xxx.xxx.32 / 255.255.255.240 / This net


The problem is that when I try to do a "ping" (or a dns query) from the ip
yyy.yyy.yyy.yyy to the ip xxx.xxx.xxx.16 (broadcast), I can see at the log
viewer the following line :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    0 / -> qe2 / yyy.yyy.yyy.yyy /   /  xxx.xxx.xxx.16 /   / icmp / drop
    0 / -> qe2 / yyy.yyy.yyy.yyy / zzzz  /  xxx.xxx.xxx.16 / domain / udp /
drop

The IP xxx.xxx.xxx.16 belongs to qe1 and not to qe2, I don�t know why this
packet is redirected to the qe2 interface and not to the qe1. I think that,
in any case, the line should be the following :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    0 / -> qe1 / yyy.yyy.yyy.yyy /   /  xxx.xxx.xxx.16 /   / icmp / drop
    0 / -> qe1 / yyy.yyy.yyy.yyy / zzzz  /  xxx.xxx.xxx.16 / domain / udp /
drop


In the other hand if I try to do a "telnet xxx.xxx.xxx.16 bbbb", I see the
following line at log viewer :

    Rule / Interface / Source / S_port / Destination / Service / Protocol /
Action
    aa / -> qe0 / yyy.yyy.yyy.yyy /  zzzz /  xxx.xxx.xxx.16 /  bbbb / tcp /
drop

that is, the line in the log is correct.

Beside, I get the typical message of "too many internal hosts detected" as
a
consequence of the problem mentioned.

Please, someone could help me?

Thanks and best regards,

Jose

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Re: [FW-1] Question about Spoofing and too many internal hosts

Reply via email to