[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: stange blocked traffic
 Date:  Tue, 26 Jul 2005 17:03:37 -0400
On 7/25/05, Ugo Bellavance <ugob at camo dash route dot com> wrote:
> Don Munyak wrote:
> > Ugo, much appreciated. I can understand the 445.
> >
> > What's confused me is the Remote IP is almost always 4.152.222.239
> > {port 445 or 135}
> >
> > The local IP's/ports, as reported by syslog, are any IP in the
> > 4.152.0.0/16 range. A few in the in others like 61.225.17.215
> > ..etc
> >
> > The point was my network is 192.168.222.0/24. How is it that syslog is
> > reporting the BLOCKED traffic from my network. Is this a case of a
> > spoofed packet?
> 


I think I solved my concern, but not neccessarily the issue. It
appears the strange traffic being block by m0n0wall was originating
from a pptp dial-up client.

Basically, I have m0n0wall setup to redirect inbound pptp traffic to a
LAN connected w2k RRAS server. The remote client workstation was using
an erols (level3) dialup account to gain internet access, then using
the built-in windows pptp component to make a pptp/vpn connection to
our office network file services.

The hair-pulling experience was seeing all the non-LAN ip traffic from
the dialup connection feeding back into our network, via the pptp
connection.

If anyone has any recommendations or suggestions, I am more than
willing to hear.

Thanks

- Don