|
||||||||
Hi all, I'm running m0n0wall 1.2 on a WRAP 1D where the m0n0wall connects all my machines on the LAN to the internet through NAT. I use the addresses from 10.0.0.0/24 as the private address range and the public IP address is assigned by my ISP through DHCP. The m0n0wall itself has the LAN address 10.0.0.11 and my desktop is 10.0.0.57. The desktop runs only Linux and the browser is Firefox 1.0.7. Java is enabled in the browser but does not work, i.e. the configuration is broken. I found several entries in the firewall logs which showed dropped packets that were coming in via the WAN interface (ng0) and were directed at private addresses. These entries seemed to belong to three classes: class 1: UDP directed to port 1434 of the public IP. Example: ------------------------------------------------------------- 15:26:54.173615 ng0 @0:6 b 10.0.0.11,3512 -> 84.147.223.17,1434 PR udp len 20 404 IN There was only one entry of this class and at this time all other machines on my LAN were switched off. Theoretically this could be the result of guessing an internal IP address but because there were no other entries (which would indicate some sort of searching process) it seems more likely that the sender knew what he/she/it was doing. The question here is how would the sender be able to learn the private address of the m0n0wall? class 2: TCP Data packets coming from a web server. Examples: ------------------------------------------------------------- 12:36:50.437910 ng0 @0:26 b 213.189.25.134,80 -> 10.0.0.57,48206 PR tcp len 20 1492 -AP IN 12:37:11.854757 ng0 @0:26 b 213.189.25.134,80 -> 10.0.0.57,48194 PR tcp len 20 1492 -AP IN class 3: TCP RST packets coming from a web server. Examples: ------------------------------------------------------------ 13:48:07.680084 ng0 @0:26 b 213.209.108.155,80 -> 10.0.0.57,43246 PR tcp len 20 40 -AR IN 22:06:00.819662 ng0 @0:26 b 213.209.108.155,80 -> 10.0.0.57,35462 PR tcp len 20 40 -AR IN 22:11:14.330707 ng0 @0:26 b 213.209.108.157,80 -> 10.0.0.57,36744 PR tcp len 20 40 -AR IN BTW: The sender IP addresses for class 3 entries belong to a company called mediavantage (www.mediavantage.de) which seems to offer some services related to advertising. The output of ipfstat -nio can be found below. I know that there are ways for a web server to determine the clients local IP address though running scripts on the client's machine. These either seem only to work on windows or involve calling some Java routines through JavaScript. As I'm running Linux on my desktop all the windows specific methods won't work and due to the fact that Java does not work in my browser I'm sure that these methods don't work either (I even tried some sample scripts). So at the moment, unless I am infected with some sort of malware, I am pretty sure that no application is "leaking" the private address to the web server. But maybe I am misinterpreting the log entries. Is it possible that the packets of class 2 and 3 were dropped by the firewall after NAT did replace the public receiver address with the private IP address? In this case the packets received from the internet would not have contained the private ID adresses. Martin ipfstat -nio @1 pass out quick on lo0 from any to any @2 pass out quick on sis0 proto udp from 10.0.0.11/32 port = 67 to any port = 68 @3 pass out quick on ng0 proto udp from any port = 68 to any port = 67 @4 pass out quick on ng0 proto udp from 84.147.248.120/32 port = 500 to any @5 pass out quick on ng0 proto esp from 84.147.248.120/32 to any @6 pass out quick on ng0 proto ah from 84.147.248.120/32 to any @7 pass out quick on sis0 proto udp from 10.0.0.11/32 port = 500 to any @8 pass out quick on sis0 proto esp from 10.0.0.11/32 to any @9 pass out quick on sis0 proto ah from 10.0.0.11/32 to any @10 pass out quick on sis2 proto udp from 10.0.1.11/32 port = 500 to any @11 pass out quick on sis2 proto esp from 10.0.1.11/32 to any @12 pass out quick on sis2 proto ah from 10.0.1.11/32 to any @13 pass out quick on sis0 from any to any keep state @14 pass out quick on ng0 from any to any keep state @15 pass out quick on sis2 from any to any keep state @16 block out log quick from any to any @1 pass in quick on lo0 from any to any @2 block in log quick from any to any with short @3 block in log quick from any to any with ipopt @4 pass in quick on sis0 proto udp from any port = 68 to 255.255.255.255/32 port = 67 @5 pass in quick on sis0 proto udp from any port = 68 to 10.0.0.11/32 port = 67 @6 block in log quick on ng0 from 10.0.0.0/24 to any @7 block in log quick on ng0 from 10.0.1.0/24 to any @8 block in log quick on ng0 proto udp from any port = 67 to 10.0.0.0/24 port = 68 @9 pass in quick on ng0 proto udp from any port = 67 to any port = 68 @10 block in log quick on sis0 from !10.0.0.0/24 to any @11 block in log quick on sis2 from !10.0.1.0/24 to any @12 block in log quick on ng0 from 10.0.0.0/8 to any @13 block in log quick on ng0 from 127.0.0.0/8 to any @14 block in log quick on ng0 from 172.16.0.0/12 to any @15 block in log quick on ng0 from 192.168.0.0/16 to any @16 pass in quick on ng0 proto udp from any to 84.147.248.120/32 port = 500 @17 pass in quick on ng0 proto esp from any to 84.147.248.120/32 @18 pass in quick on ng0 proto ah from any to 84.147.248.120/32 @19 pass in quick on sis0 proto udp from any to 10.0.0.11/32 port = 500 @20 pass in quick on sis0 proto esp from any to 10.0.0.11/32 @21 pass in quick on sis0 proto ah from any to 10.0.0.11/32 @22 pass in quick on sis2 proto udp from any to 10.0.1.11/32 port = 500 @23 pass in quick on sis2 proto esp from any to 10.0.1.11/32 @24 pass in quick on sis2 proto ah from any to 10.0.1.11/32 @25 skip 1 in proto tcp from any to any flags S/FSRA @26 block in log quick proto tcp from any to any @27 block in log quick on sis0 from any to any head 100 @1 pass in quick from 10.0.0.0/24 to 10.0.0.11/32 keep state group 100 @2 pass in quick from 10.0.0.0/24 to any keep state group 100 @28 block in log quick on ng0 from any to any head 200 @29 block in log quick on sis2 from any to any head 300 @1 pass in quick from 10.0.1.0/24 to 10.0.1.0/24 keep state group 300 @2 pass in quick proto tcp from 10.0.1.65/32 to 10.0.0.59/32 port = 443 keep state group 300 @30 block in log quick from any to any |