Hi list, Here's the trick:
I have configured my gnatboxes to create alarms for spoofed packets. Fine. But now I'm trying to get rid of this kind of messages:
-----------------------------------------------------------------------------
NOTIFICATION TYPE: GNAT Box FILTER ALARM
PRODUCT: GNAT Box GB-Flash
VERSION: 3.2.5s
NAME: [...]
CONFIGURATION: EXTERNAL=x.x.x.x
PROTECTED=y.y.y.y
PSN=z.z.z.z
-----------------------------------------------------------------------------
ALARM NO: 1
DATE: Thu 2002-11-14 12:07:42 CET
INTERFACE: PROTECTED (tx1)
INTERFACE TYPE: Protected
ALARM TYPE: Possible spoof
IP PACKET: UDP [169.254.130.21/137]-->[169.254.255.255/137] l=50
[169.254.130.21/netbios-ns]-->[169.254.255.255/netbios-ns]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
These are standard netbios broadcast packets sent by MS stack for laptop or workstations in DHCP that were booted *just before* pluging the LAN cable.
As no dhcp server can be contacted at boot time, they build their own address in the 169.254.0.0/16 network (I think using the MAC address to calculate unique IP in the network)
So nothing very scary so far... :)
I tried to add a rule in the outbound filter to deny /nolog /noalarm this kind of packets, but it seems that the gnatbox will check the anti-spoofing rules before the outbound ones.
Anyone experienced this problem ?
Thanks a lot for your help,
--
Emmanuel.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
http://www.mail-archive.com/gb-users@;gta.com
