Are udp packets with non-routeable ip addresses valid on public network?
Ernie Luzar
luzar722 at gmail.com
Mon Oct 12 17:29:05 UTC 2015
Matthew Seaman wrote:
> On 2015/10/12 14:06, Ernie Luzar wrote:
>
>> I am receiving unsolicited inbound udp packets with a "to ip address"
>> [10.0.10.1] of a computer on my LAN. Is this valid? Other tcp/udp
>> packets from that LAN computer pass through the firewall NAT as
>> expected. I added a firewall rule to block that packet and their are no
>> outward signs of problems with that LAN computer.
>>
>> On other LAN PC's that run ms/windows and facebook or yahoo are sending
>> out bound udp packets with "from ip address" containing their LAN ip
>> address. I bock these also without any outward signs of problems. These
>> packets are not being NAT'ed like other udp packets from that LAN PC are.
>>
>> I though non-routeable ip addresses are invalid on the public network.
>>
>> Any ideas on what is occurring here?
>
> Do you mean you are receiving packets on the *external* interface of
> your firewall with an IP number for a host in the private address space
> on your internal lan?
YES
>
> No, that shouldn't happen. RFC1918 addressed packets should not be
> routable on the Internet.
>
> It sounds as if your firewall might be letting un-NAT'ed traffic through
> itself for some combination of host and protocol, and you are somehow
> seeing responses. Or else someone has worked out what some of your
> internal addresses are and is trying to spoof your firewall -- but
> they'd have to be fairly close to you in network terms to even attempt that.
>
> Your firewall should reject such packets -- it's good practice to drop
> packets using private address space when they arrive from or depart to
> public networks, and also to drop packets that arrive at an 'impossible'
> interface according to the routing table. You can do that last bit
> fairly easily in pf(4) by something like:
>
> block in log quick on $ext_if from no-route to any
> block in log quick on $ext_if from urpf-failed to any
>
> Cheers,
>
> Matthew
>
I am running 10.2 and ipfilter firewall. No problems with tcp packets
just udp packets being issued from facebook and yahoo. I'm thinking this
may be a phone home virus or codding error in usage of udp packets in
those 2 websites.
More information about the freebsd-questions
mailing list