[ILUG] Firewall Log Question
martin at tuatha.org
Thu Nov 22 18:53:10 GMT 2001
On Thu, 22 Nov 2001 17:43:13 eduardo wrote some stuff which doesn't wrap
very well and I'm too lazy to reformat it for him:
> One of the network is my company network (192.168.X.X / 255.255.0.0. I am
> charge of it) and the other network belongs to other company (10.10.X.X /
> 255.255.0.0). This company has a VPN. Now, they are accusing me as
> alleging we have tried to go into their VPN. As prove of that , they are
> showing the following type of message:
> Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> 18.104.22.168:4512 22.214.171.124:27374 L=48 S=0x00 I=24273 F=0x4000
> T=109 SYN (#70)
Do either of those IP addresses have anything to do with your network?
126.96.36.199 (pc4-staf2-0-cust72.bir.cable.ntl.com) and
188.8.131.52 (belonging to glabal-one)? I'm assuming not, so they're
not your problem.
> Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
> 192.168.2.185:138 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128
These are from your network, but are not exactly your problem either.
As others have explained this is standard windows behaviour. A windows
machine sends broadcasts to the network it's on to figure out who else
is out there. Windows is a bit insecure that way. It doesn't like to
be alone and need constant reassuring. I think it's got some sort of
The problem is the hub and the windows machine connected to it. If you
replace this with a switch, the firewall hits should magically disappear.
What's happening is that a windows box either on your vlan or the one
on the hub is sending a broadcast to find out what other windows machines
are on the 192.168/16 network.
Now the windows machine talks to the hub. The hub, being a hub, doesn't
have an arp cache, so it doen't know where the other 192.168/16 machines
are. It forwards the packet onto everything it's connected to. This
includes the cisco and the "external" port of the other company's firewall
machine. Their firewall is picking up the broadcasts and flagging them
as something it doesn't expect.
Something similar is happening from the point of view of the machines on
switch. The switch has an arp entry for the windows machine and the cisco
on the port connected to the hub as having 192.168/16 addresses.
Windows machines on your vlan send a broadcast, the switch forwards on the
broadcast to all 192.168/16 connected ports. This includes the port on the
hub. The rest goes as above.
This is the nature of unswitched networks. Hub's don't have arp caches.
Sit the admin of the other company down and explain this to him/her.
Feel free to use a LART.
What the other company should do is accept that there are going to be
broadcast packets from the 192.168/16 network and ignore them.
The bigger question here is why do you have a shared hub/switch at all if
don't trust each other?
The best solution would be to have full physical separation of the networks
with routers in-between them if they need to talk to each other. Stick
firewalls on the routers if there's a need.
Also, it looks as if you have mixed netmasks on your network. 192.168.2.5
and 192.168.2.20 look to have /24 whereas the rest look to have /16.
I'd fix this as soon as possible as well as it can cause many subtle
especially with windows logons.
More information about the ILUG