Date: Mon, 12 Oct 2015 13:29:18 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: Are udp packets with non-routeable ip addresses valid on public network? Message-ID: <561BEDEE.1060409@gmail.com> In-Reply-To: <561BBBD4.8090708@infracaninophile.co.uk> References: <561BB03D.1060104@gmail.com> <561BBBD4.8090708@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: > On 2015/10/12 14:06, Ernie Luzar wrote: > >> I am receiving unsolicited inbound udp packets with a "to ip address" >> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp >> packets from that LAN computer pass through the firewall NAT as >> expected. I added a firewall rule to block that packet and their are no >> outward signs of problems with that LAN computer. >> >> On other LAN PC's that run ms/windows and facebook or yahoo are sending >> out bound udp packets with "from ip address" containing their LAN ip >> address. I bock these also without any outward signs of problems. These >> packets are not being NAT'ed like other udp packets from that LAN PC are. >> >> I though non-routeable ip addresses are invalid on the public network. >> >> Any ideas on what is occurring here? > > Do you mean you are receiving packets on the *external* interface of > your firewall with an IP number for a host in the private address space > on your internal lan? YES > > No, that shouldn't happen. RFC1918 addressed packets should not be > routable on the Internet. > > It sounds as if your firewall might be letting un-NAT'ed traffic through > itself for some combination of host and protocol, and you are somehow > seeing responses. Or else someone has worked out what some of your > internal addresses are and is trying to spoof your firewall -- but > they'd have to be fairly close to you in network terms to even attempt that. > > Your firewall should reject such packets -- it's good practice to drop > packets using private address space when they arrive from or depart to > public networks, and also to drop packets that arrive at an 'impossible' > interface according to the routing table. You can do that last bit > fairly easily in pf(4) by something like: > > block in log quick on $ext_if from no-route to any > block in log quick on $ext_if from urpf-failed to any > > Cheers, > > Matthew > I am running 10.2 and ipfilter firewall. No problems with tcp packets just udp packets being issued from facebook and yahoo. I'm thinking this may be a phone home virus or codding error in usage of udp packets in those 2 websites.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?561BEDEE.1060409>