Thread: anti-spoofing pushes me to the edges
View Single Post
  #1 (permalink)  
Old 2007-03-03
jacobsen jacobsen is offline
Member
  
Join Date: 2006-07-10
Location: Germany
Posts: 42
Rep Power: 0
jacobsen has an average reputation (10+)
Default anti-spoofing pushes me to the edges
hello dear friends,

Our Antispoofing is not working like expected.
There are always some packets dropped due to anti-spoofing - even if
antispoofing and the topolgy settings are configured like they should.
(well, as far as i understand it)
I really dont know why on earth this happens.
hopefully, one of you can point me to the right way...

here it comes:

Nokia VRRP cluster (R60 HFA4, IPSO 4.1-22) managed by P1.
-eth-s3p3c0 is LAN (10.0.0.0/8)
-eth-s1/s1p1c4 is DMZ (172.18.254.1/24)
there are some subnets reachable via 172.18.254.x
Code:
S     172.18.18/24        via 172.18.254.11, eth-s1/s1p1c4, cost 0, age 1144033
S     172.18.64/19        via 172.18.254.13, eth-s1/s1p1c4, cost 0, age 1144033
S     172.18.96/19        via 172.18.254.15, eth-s1/s1p1c4, cost 0, age 1144033
S     172.18/19           via 172.18.254.11, eth-s1/s1p1c4, cost 0, age 1144033
Topology for eth-s1/s1p1c4 is set on the cluster interface (module interfaces are clean=not defined)
>Internal > specific > group "dmz"

group "dmz" consists of:
Code:
Networkobject_172.18.254.0-24
Networkobject_172.18.18.0-24
Networkobject_172.18.64.0-19
Networkobject_172.18.96.0-19
Networkobject_172.18.0.0-19
Option "Performe Anti-spoofing" is not checked



Topology for eth-s3p3c0 is "not defined"

Thats what fw monitor gets:
Code:
eth-s3p3c0:i[63]: 10.80.73.106 -> 172.18.95.254 (UDP) len=63 id=44237
UDP: 2967 -> 2967
eth-s3p3c0:I[63]: 10.80.73.106 -> 172.18.95.254 (UDP) len=63 id=44237
UDP: 2967 -> 2967
eth-s1/s1p1c4:o[63]: 10.80.73.106 -> 172.18.95.254 (UDP) len=63 id=44237
UDP: 2967 -> 2967

and thats the entry in the logfile:
Code:
Number:      	1664401
Date:            	3Mar2007
Time:           	17:16:40
Product:       	VPN-1 Pro/Express
Interface:     	eth-s1/s1p1c4
Origin:         	firewall (10.0.0.1)
Type:           	Alert
Action:         	Drop
Protocol:      	udp
Service:       	UDP_2967 (2967)
Source:        	client (10.80.73.106)
Destination: 	target (172.18.95.254)
Source Port:	UDP_2967 (2967)
Information: 	message_info: Local interface address spoofing
I grep'ed through $FWDIR/conf/objects_5_0.C for "perform_anti_spoofing" and got only "false" back.
But one entry on objects_5_0.C caught my attention: fw_local_interface_anti_spoof (true)
what exactly does that mean? Well, the drop information is "Local interface address spoofing" - does "fw_local_interface_anti_spoof (true)" has to do something with it?

any replay is very much welcome
cheers
J

UPDATE
I found the article sk25911. It explains, what fw_local_interface_anti_spoof (true) is used for.
But the question now is, why does the module think, the ip 10.80.73.106 or 172.18.95.254 belongs to a local interface?
Last edited by jacobsen; 2007-03-04 at 12:07.
Reply With Quote