Why ip-fw reject for IP's outside node's netmask?

Why ip-fw reject for IP's outside node's netmask?

Post by Lew Pitch » Tue, 04 May 1999 04:00:00



An acquantaince has configured his system to provide IP Masquerading between his


cable modem, and his eth1 is connected to his internal lan. He has deny logging
enabled (I don't have his ruleset handy to post).

ifconfig shows...
eth0      Link encap:Ethernet  HWaddr 00:80:C8:77:3C:17
          inet addr:24.xx.xx.195  Bcast:24.xx.xx.255  Mask:255.255.252.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4756223 errors:1 dropped:0 overruns:0 frame:1
          TX packets:354499 errors:1 dropped:0 overruns:0 carrier:1
          collisions:8831
          Interrupt:9 Base address:0xdc00

eth1      Link encap:Ethernet  HWaddr 00:80:C8:77:3C:22
          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:86740 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86154 errors:65 dropped:0 overruns:0 carrier:65
          collisions:4299
          Interrupt:10 Base address:0xd800

and his /var/log/messages shows...
Apr 30 15:09:41 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=46 F=0x0000 T=30
Apr 30 15:09:43 ZEA kernel: IP fw-in deny eth0 UDP 192.168.0.1:68 255.255.255.255:67 L=328
S=0x00 I=62528 F=0x0000 T=128
Apr 30 15:09:52 ZEA kernel: IP fw-in deny eth0 UDP 192.168.0.1:68 255.255.255.255:67 L=328
S=0x00 I=62784 F=0x0000 T=128
Apr 30 15:09:54 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=48 F=0x0000 T=30
Apr 30 15:10:07 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=49 F=0x0000 T=30
Apr 30 15:10:07 ZEA kernel: IP fw-in deny eth0 UDP 192.168.0.1:68 255.255.255.255:67 L=328
S=0x00 I=64320 F=0x0000 T=128
Apr 30 15:10:20 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=50 F=0x0000 T=30
Apr 30 15:10:33 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=52 F=0x0000 T=30
Apr 30 15:10:46 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=53 F=0x0000 T=30
Apr 30 15:10:59 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=55 F=0x0000 T=30
Apr 30 15:11:12 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=56 F=0x0000 T=30
Apr 30 15:11:25 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=58 F=0x0000 T=30
Apr 30 15:11:38 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=59 F=0x0000 T=30
Apr 30 15:11:51 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=61 F=0x0000 T=30
Apr 30 15:11:54 ZEA kernel: IP fw-in deny eth0 UDP 192.168.0.1:68 255.255.255.255:67 L=328
S=0x00 I=14424 F=0x0000 T=128
Apr 30 15:11:58 ZEA kernel: IP fw-in deny eth0 UDP 192.168.0.1:68 255.255.255.255:67 L=328
S=0x00 I=14680 F=0x0000 T=128
Apr 30 15:12:04 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50
S=0x00 I=62 F=0x0000 T=30

Note that the rejected IP addresses are 10.20.0.3 and 192.168.0.1; neither are on his
subnet.

I believe that what he is seeing is a combination of a couple of misconfigured servers

Can anyone suggest why his TCP/IP stack is intercepting these packets??

Lew Pitcher
System Consultant, Integration Solutions Architecture
Toronto Dominion Bank


(Opinions expressed are my own, not my employer's.)

 
 
 

Why ip-fw reject for IP's outside node's netmask?

Post by Malwar » Wed, 05 May 1999 04:00:00


Hi Lew,



> cable modem, and his eth1 is connected to his internal lan. He has deny logging
> enabled (I don't have his ruleset handy to post).
[...]
> Apr 30 15:11:58 ZEA kernel: IP fw-in deny eth0 UDP 192.168.0.1:68 255.255.255.255:67 L=328 S=0x00 I=14680 F=0x0000 T=128
> Apr 30 15:12:04 ZEA kernel: IP fw-in deny eth0 UDP 10.20.0.3:121 10.20.0.255:121 L=50 S=0x00 I=62 F=0x0000 T=30

> Note that the rejected IP addresses are 10.20.0.3 and 192.168.0.1; neither are on his
> subnet.

IMHO such a broadband-cable network is a broadcast network. So it is
quite normal to see packets to various broadcast addresses. Especially
BOOTP/DHCP packets - as the first one I qouted - are likely to cross.
The other one does belong to "Encore Expedited Remote Pro.Call" (erpc) -
what ever this will be.

Quote:> Can anyone suggest why his TCP/IP stack is intercepting these packets??

Surely because they are sent as link-level broadcasts.

Malware

 
 
 

1. ping -g 'gateway-IP' 'host-IP' DOESN'T work!

Hello guys,

I have a machine with two interfaces, each connected to
a gateway. This two gateways are then connected to a common
network and I want to ping another router in that network over
the two interfaces.

Looks like this:
                        Gateway 1
                           ----
               ------------|  |------------
              | Subnet A   ----            |
            ----
Machine    |  |                Subnet C   Router
            ----
              | Subnet B   ----            |
               ------------|  |------------
                           ----
                        Gateway 2

Now if I type following on my machine it doesn't work:

ping -g 'IP in Subnet A of Gateway 1' 'Router-IP-address'

But if I do a ping (Defaultgateway is 'IP in Subnet A of Gateway 1'
(without -g) it works fine:

ping 'Router-IP-address'

Can someone give me a hint? Thanks in advance!

Cheers, Walter

2. help setup token ring>>

3. ISP's rejecting mail from dynamic IP's?

4. Can someone post a FAQ please :)

5. 'IP alias' for single node machines?

6. bizzarro: my system reboots when an exported fs is accessed remotely

7. Getting Internal IP's translated to 5 External IP's.

8. using xlockmore & xearth with kde

9. Route by IP address over tun0 - 'ip rule add from a.b.c.d'

10. how to convert private IP's to official IP's?

11. Dynamically assign VPN IP's to LAN static IP's

12. IP Masq'd Workstation to connect to IP Masq'd Workstation

13. IP Masq/IP Chains Question (forwarding smtp to 'internal' mail server...)