Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Oct 2015 13:29:18 -0400
From:      Ernie Luzar <luzar722@gmail.com>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Are udp packets with non-routeable ip addresses valid on public network?
Message-ID:  <561BEDEE.1060409@gmail.com>
In-Reply-To: <561BBBD4.8090708@infracaninophile.co.uk>
References:  <561BB03D.1060104@gmail.com> <561BBBD4.8090708@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote:
> On 2015/10/12 14:06, Ernie Luzar wrote:
> 
>> I am receiving unsolicited inbound udp packets with a "to ip address"
>> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp
>> packets from that LAN computer pass through the firewall NAT as
>> expected. I added a firewall rule to block that packet and their are no
>> outward signs of problems with that LAN computer.
>>
>> On other LAN PC's that run ms/windows and facebook or yahoo are sending
>> out bound udp packets with "from ip address" containing their LAN ip
>> address. I bock these also without any outward signs of problems. These
>> packets are not being NAT'ed like other udp packets from that LAN PC are.
>>
>> I though non-routeable ip addresses are invalid on the public network.
>>
>> Any ideas on what is occurring here?
> 
> Do you mean you are receiving packets on the *external* interface of
> your firewall with an IP number for a host in the private address space
> on your internal lan?

YES

> 
> No, that shouldn't happen.  RFC1918 addressed packets should not be
> routable on the Internet.
> 
> It sounds as if your firewall might be letting un-NAT'ed traffic through
> itself for some combination of host and protocol, and you are somehow
> seeing responses.  Or else someone has worked out what some of your
> internal addresses are and is trying to spoof your firewall -- but
> they'd have to be fairly close to you in network terms to even attempt that.
> 
> Your firewall should reject such packets -- it's good practice to drop
> packets using private address space when they arrive from or depart to
> public networks, and also to drop packets that arrive at an 'impossible'
> interface according to the routing table.  You can do that last bit
> fairly easily in pf(4) by something like:
> 
> block in log quick on $ext_if from no-route to any
> block in log quick on $ext_if from urpf-failed to any
> 
> 	Cheers,
> 
> 	Matthew
> 


I am running 10.2 and ipfilter firewall. No problems with tcp packets 
just udp packets being issued from facebook and yahoo. I'm thinking this 
may be a phone home virus or codding error in usage of udp packets in 
those 2 websites.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?561BEDEE.1060409>