From owner-freebsd-questions@freebsd.org Mon Oct 12 17:29:05 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7BBF1A11A66 for ; Mon, 12 Oct 2015 17:29:05 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 34BDE40E for ; Mon, 12 Oct 2015 17:29:05 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by igcpe7 with SMTP id pe7so85479330igc.0 for ; Mon, 12 Oct 2015 10:29:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Y9uUVG+Y7kCYMMQHrdAn+N7RthcA1prB3TsCrvYCNYs=; b=YXLO46Pcd2x22HEr6fA8hieXI3HUQqJqONmp+XrHx64NXczR0DviL5jSRERzdzV25i 7mXDYnUuGIEnABTVwfjdhUi8IaWwU9Sg+AKn3T3PZgGMQT9RZ/6qSubFnYdfyHHG31kP DFME4R0xDRmmaG6eHrXo7IALBWp+J8aXGYtchXa9VMQKDxSFp2iSXxO+KikkQOn+ziQo JOHC8/IhiwSp7kzpWR+zV8QqGFVmU4dI7jed0eRTYeE51T0cwIVTlo8rFu8kTQtMfP3J i59ufze0RgrzXiCl0IoR8Pa2BtzJCQJTAKSFMtwlc5BAvDGX+B2cLXXwrHhKlalw6eme VjHw== X-Received: by 10.50.50.9 with SMTP id y9mr14289559ign.14.1444670944687; Mon, 12 Oct 2015 10:29:04 -0700 (PDT) Received: from [10.0.10.3] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by smtp.googlemail.com with ESMTPSA id w89sm6631801ioi.3.2015.10.12.10.29.03 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 12 Oct 2015 10:29:03 -0700 (PDT) Message-ID: <561BEDEE.1060409@gmail.com> Date: Mon, 12 Oct 2015 13:29:18 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Matthew Seaman CC: freebsd-questions@freebsd.org Subject: Re: Are udp packets with non-routeable ip addresses valid on public network? References: <561BB03D.1060104@gmail.com> <561BBBD4.8090708@infracaninophile.co.uk> In-Reply-To: <561BBBD4.8090708@infracaninophile.co.uk> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Oct 2015 17:29:05 -0000 Matthew Seaman wrote: > On 2015/10/12 14:06, Ernie Luzar wrote: > >> I am receiving unsolicited inbound udp packets with a "to ip address" >> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp >> packets from that LAN computer pass through the firewall NAT as >> expected. I added a firewall rule to block that packet and their are no >> outward signs of problems with that LAN computer. >> >> On other LAN PC's that run ms/windows and facebook or yahoo are sending >> out bound udp packets with "from ip address" containing their LAN ip >> address. I bock these also without any outward signs of problems. These >> packets are not being NAT'ed like other udp packets from that LAN PC are. >> >> I though non-routeable ip addresses are invalid on the public network. >> >> Any ideas on what is occurring here? > > Do you mean you are receiving packets on the *external* interface of > your firewall with an IP number for a host in the private address space > on your internal lan? YES > > No, that shouldn't happen. RFC1918 addressed packets should not be > routable on the Internet. > > It sounds as if your firewall might be letting un-NAT'ed traffic through > itself for some combination of host and protocol, and you are somehow > seeing responses. Or else someone has worked out what some of your > internal addresses are and is trying to spoof your firewall -- but > they'd have to be fairly close to you in network terms to even attempt that. > > Your firewall should reject such packets -- it's good practice to drop > packets using private address space when they arrive from or depart to > public networks, and also to drop packets that arrive at an 'impossible' > interface according to the routing table. You can do that last bit > fairly easily in pf(4) by something like: > > block in log quick on $ext_if from no-route to any > block in log quick on $ext_if from urpf-failed to any > > Cheers, > > Matthew > I am running 10.2 and ipfilter firewall. No problems with tcp packets just udp packets being issued from facebook and yahoo. I'm thinking this may be a phone home virus or codding error in usage of udp packets in those 2 websites.