Subject: Re: Odd ipf behaviour?
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-security
Date: 09/21/1999 19:41:19
by redmail.netbsd.org with SMTP; 21 Sep 1999 09:41:49 -0000
by darren2.lnk.telstra.net (8.9.1/8.8.7) id JAA09130;
Tue, 21 Sep 1999 09:41:46 GMT
id sma009128; Tue Sep 21 09:41:20 1999
by avalon.reed.wattle.id.au (8.9.0.Beta3/8.9.0.Beta3) with SMTP id TAA05599;
Tue, 21 Sep 1999 19:41:20 +1000 (EST)
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <199909210941.TAA05599@avalon.reed.wattle.id.au>
Subject: Re: Odd ipf behaviour?
In-Reply-To: <19990919221430.L485@acheron.middleboro.ma.us> from Mason Loring Bliss at "Sep 19, 99 10:14:30 pm"
To: mason@acheron.middleboro.ma.us (Mason Loring Bliss)
Date: Tue, 21 Sep 1999 19:41:19 +1000 (EST)
Cc: tech-security@netbsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
In some email I received from Mason Loring Bliss, sie wrote:
[...]
> Sep 18 15:58:02 acheron ipmon[194]: 15:58:02.794832 ep0 @0:12 b
^ ^ ^ ^ ^ ^
[-syslog date-] [ host] [time logged] | | blocked
[interface] @group:rule
> 209.67.38.62,80 -> 10.0.0.3,2049 PR tcp len 20 44 -AS
[srcip,srcport] [dstip,dstport] ^ ^ ^ [tcp flags]
| | [IP packet length]
[protocol] [IP header length]
So there were no IP options set (IP header length of 20), but it is a
SYN-ACK from port 80 (WWW) to port 2049 (NFS). Depending on how your
NAT rules are setup (and assuming you don't advertise network 10 routes
locally and that nothing else on the ep0 network has been hacked), this
is either (a) a valid SYN-ACK reply (unlikely) or (b) you're doing bimap
which allows packets to be rewritten to your internal box or (c) someone
is attempting to use an existing NAT session to get addresses rewritten
(unlikely) or (d) someone `hacked' routing tables for intervening routers
to get that packet routed to you. Then there's things like what tunnelling
protocols (PPTP, GRE, L2P, L2TP, etc) can do.
Darren