From owner-freebsd-security  Mon Jul 13 16:58:43 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA09703
          for freebsd-security-outgoing; Mon, 13 Jul 1998 16:58:43 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09698
          for <freebsd-security@FreeBSD.ORG>; Mon, 13 Jul 1998 16:58:41 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id TAA08367;
	Mon, 13 Jul 1998 19:58:20 -0400 (EDT)
Date: Mon, 13 Jul 1998 19:58:20 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Ludwig Pummer <ludwigp@bigfoot.com>
cc: Alexander Kandelaki <stealth@sanet.ge>, freebsd-security@FreeBSD.ORG
Subject: Re: Question...
In-Reply-To: <3.0.3.32.19980713104816.03203d78@mail.plstn1.sfba.home.com>
Message-ID: <Pine.BSF.3.96.980713195634.8340D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 13 Jul 1998, Ludwig Pummer wrote:

> My guess is someone either a) has an incorrectly set firewall/proxy gateway
> system or b) is trying to hack/break your machine
> My guess is that it's b), since people who try to hack/break your machine
> try to hide who they are by spoofing their IP.

I have a number of machines attached to a private network with a reserved
address range in use -- I have ipfw set up to reject packets from that
address range coming from the exposed interfaces on the big bad internet.
I often see ipfw accounting entries from rejected packets that are
addressed to or from the reserved address range on the outside interfaces.
I've never caught any in a sniffer, but then, I have never tried.

I suggest everyone verify their ipfw/border router filters to make sure
they are rejecting appropriate ranges of addresses!

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message