Re: bug? blocked packets get shadowed to internal network

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hi,

When I saw your logs it is sending a rst packet to destination. Are you running any ids inside your network?
Regards
Dharmendra.T
dharmu@xxxxxxxxxxx

On Thu, 2003-08-14 at 15:04, Juergen Stohr wrote:
Hi to all,

we are using a firewall with RedHat kernel 2.4.20-19.7. The firewall is 
configured to block every packet with DPT 199 into our network. When doing
a "telnet server.in.our.network 199" from outside, the firewall correctly 
drops that packet, logging

IN=eth1 OUT=eth0 SRC="" DST=xxx.xxx.151.184 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=12615 DF PROTO=TCP SPT=34869 DPT=199 WINDOW=8760 RES=0x00 SYN URGP=0

to syslog. The external interface is eth1, internal is eth0.
However, at the same time, the firewall generates a packet, which is droped
by the output chain of the firewall. It fakes the SRC and DST and wants to send
that packet to the internal server:

IN= OUT=eth0 SRC="" DST=xxx.xxx.11.231 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=199 DPT=34869 WINDOW=0 RES=0x00 ACK RST URGP=0

When setting the output chain to accept policy, the above packet is delivered
xxx.xxx.151.184!

How can we prohibit those packets to be generated? Kernel RH 2.4.18-x didn't
show that behaviour.

Please CC me as I'm not subscribed.

regards,
	juergen

-- 

This message is intended for the addressee only. It may contain privileged or Confidential information. If you have received this message in error,please notify the sender and destroy the message immediately.Unauthorised use or reproduction of this message is strictly prohibited.

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux