Date: Wed, 19 Dec 2001 21:24:20 -0500 From: parv <parv_@yahoo.com> To: Dan Nelson <dnelson@allantgroup.com> Cc: f-q <freebsd-questions@FreeBSD.ORG> Subject: Re: any way to locate the real source ip of an 10/8 address? Message-ID: <20011219212420.A22238@moo.holy.cow> In-Reply-To: <20011219214515.GB30574@dan.emsphone.com>; from dnelson@allantgroup.com on Wed, Dec 19, 2001 at 03:45:16PM -0600 References: <20011218133818.A23891@moo.holy.cow> <20011219214515.GB30574@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
in message <20011219214515.GB30574@dan.emsphone.com>, wrote Dan Nelson thusly... > > In the last episode (Dec 18), parv said: > > is there hope of locating the real ip address behind an 10.0.0.0/8 > > address in general? ... > > below are two of the >90 ipf alerts w/ most relevant information... > > > > b 10.112.1.1,80 -> a.b.c.d,port PR tcp len 20 1500 -A 1044505376 3051010357 17140 IN > > b 10.112.1.1,80 -> a.b.c.d,port PR tcp len 20 817 -AFP 248335848 1496692188 17204 IN > > Chances are this *is* the real IP of some machine at timex, and their > NAT is somehow letting these packets through, AND their ISP is not > blocking the invalid packets from entering the Internet. Double > trouble. i was also thinking on the same lines, but just couldn't put it in the right words. > I don't see these because my border router has packet filters > that block invalid/spoofed IPs from entering my network. same here, more or less, but i choose to see that kind of traffic. > They look like leaked ACKs from a TCP request from your machine a.b.c.d > to the webserver at the 10.* machine. if i didn't miss read your above statement i don't think that would be possible. i don't allow anything in but traffic only from those ip addresses w/ which i have initiated the connection via ipf rules. could ACKs still be passed thru ipfilter somehow? below are the rules for outgoing traffic from my standalone machine connected directly to internet (or, local telephone company anyhow)... @1 block out from any to any @2 block out on tun0 from any to any head 400 @1 block out log body quick on tun0 from any to 127.0.0.0/16 group 400 @2 block out log body quick on tun0 from any to 172.16.0.0/16 group 400 @3 block out log body quick on tun0 from any to 192.168.0.0/16 group 400 @4 block out log body quick on tun0 from any to 10.0.0.0/8 group 400 @5 block out log body quick on tun0 from 192.168.0.0/16 to any group 400 @6 block out log body quick on tun0 from 172.16.0.0/16 to any group 400 @7 block out log body quick on tun0 from 127.0.0.0/16 to any group 400 @8 pass out quick on tun0 proto udp from 10.0.0.1/32 to any port = 53 keep state group 400 @9 pass out log or-block quick on tun0 proto udp from any to any port 33433 >< 33465 keep state keep frags group 400 @10 pass out log quick on tun0 proto tcp from any to any keep state keep frags group 400 @11 pass out log quick on tun0 proto udp from any to any keep state group 400 @12 pass out log or-block quick on tun0 proto icmp from any to any icmp-type echo keep state group 400 - parv -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219212420.A22238>