Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Oct 2003 12:40:22 +0300
From:      <>
To:        <>
Subject:   Re: Strange leakage of private source addresses w/ipfw and natd
Message-ID:  <020201c39c6e$5f0fea40$080ba8c0@admin>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Ok, maybe not THAT important but definitely a Bad Surprise.
Here's the sample (and in current configuration only ICMP packets from time
to time are being passed through unaltered):

snort: [1:0:0] POSSIBLE address leakage - ICMP {ICMP} ->
[**] POSSIBLE address leakage - ICMP [**]
10/25-22:55:08.782139 ->
ICMP TTL:255 TOS:0x0 ID:17365 IpLen:20 DgmLen:60
Type:11  Code:0  TTL EXCEEDED IN TRANSIT is Cisco 2509 if it matters.

box details: ipfw2+natd, acts as a gateway.
OS version 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #0: Thu Sep 25 08:58:21 MSD
2003,but it doesn't matter as I've seen this behaviour before.

 I can provide more details if needed.

> > This doesn't have a (user-) noticeable impact on traffic, but
> > installing a silent network recorder outside my firewall shows that
> > some RFC 1918 addrs are getting through.
> don't worry, just block them on the external interface.
> > I'll post details when I've got them, but I'm wondering if anyone
> > else has seen this?
> it happens, and with my installation they are coming from the outside.
>   clemens

Want to link to this message? Use this URL: <$5f0fea40$080ba8c0>