I see this occasionally, but I have never gotten information that explains
why. It appears to come from an NT box (a legacy box that no one seems to
fully understand, but we can't turn it off since important people use it)
set up with some kind of tunnel (Citrix, or M$, or something). I found
that connections come to that box from some host outside, and then
sometimes this incoming IP address also tries to get out from the inside
and is dropped by the firewall. There was good correlation between traffic
to that box and the leaking? IP addresses, but I can't trace them to that
network segment, so I can't prove anything.
hermit1
At 05:54 PM 6/22/00 +0200, Karim Amrani wrote:
>Hi everybody,
>
>We have a FW1 v4.1 running on a Ultra 5 box (Solaris 2.6). The
>configuration is classic :
>Internal LAN -> qfe0
>DMZ -> qfe1
>Internet -> hme0
>
>The internal LAN addresses are 192.168.something and the anti-spoofing
>is on.
>
>The problem is that I had an alert saying that some valid address (not
>one of ours) has been detected on the internal LAN (Antispoof alert).
>This valid address is resolved into an public ISP client.
>
>Where can this come from ? I forbid the use of modems on the LAN (could
>this be it anyway ?). Could this be a successful intrusion into our
>systems ?
>
>How can I track that ? I looked at the arp table but I could not find
>the alien address in the table (too late ?).
>
>Any help appreciated a lot,
>Karim AMRANI
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
