Date: Mon, 27 Oct 2003 12:40:22 +0300 From: <freebsd@dwec.ru> To: <freebsd-ipfw@freebsd.org> Subject: Re: Strange leakage of private source addresses w/ipfw and natd Message-ID: <020201c39c6e$5f0fea40$080ba8c0@admin> References: <3F833434.5090506@tenebras.com> <ekx0paff.fsf@ID-23066.news.dfncis.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, maybe not THAT important but definitely a Bad Surprise. Here's the sample (and in current configuration only ICMP packets from time to time are being passed through unaltered): snort: [1:0:0] POSSIBLE address leakage - ICMP {ICMP} 192.168.5.2 -> 208.115.104.193 [**] POSSIBLE address leakage - ICMP [**] 10/25-22:55:08.782139 192.168.5.2 -> 208.115.104.193 ICMP TTL:255 TOS:0x0 ID:17365 IpLen:20 DgmLen:60 Type:11 Code:0 TTL EXCEEDED IN TRANSIT 192.168.5.2 is Cisco 2509 if it matters. box details: ipfw2+natd, acts as a gateway. OS version 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #0: Thu Sep 25 08:58:21 MSD 2003,but it doesn't matter as I've seen this behaviour before. PS I can provide more details if needed. > > This doesn't have a (user-) noticeable impact on traffic, but > > installing a silent network recorder outside my firewall shows that > > some RFC 1918 addrs are getting through. > don't worry, just block them on the external interface. > > > I'll post details when I've got them, but I'm wondering if anyone > > else has seen this? > it happens, and with my installation they are coming from the outside. > clemens
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?020201c39c6e$5f0fea40$080ba8c0>