• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Source and destination the same

Scheduled Pinned Locked Moved Firewalling
8 Posts 5 Posters 5.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gez
    last edited by Dec 12, 2006, 10:50 AM

    Hi,

    just installed pfSense 1.0 on a hard disk last week.  Default rules.

    On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source!  On TCP port 80 the destination was my own IP address.

    Here's an example:

    WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP

    The TCP entries show that the destination is my own IP address:

    WAN Interface Src.  89.207.xxx.xxx:80  Dest.  217.159.xxx.xxx:54954 TCP

    Am I missing something obvious here? it's surely not right that the source and destination IP addresses for ICMP entries should be the same?

    Thank you.

    Gerard.

    1 Reply Last reply Reply Quote 0
    • J
      jeroen234
      last edited by Dec 12, 2006, 6:05 PM

      icmp is ping
      so you get source his ip destination youre ip then chanced by pfsense to destination his ip

      1 Reply Last reply Reply Quote 0
      • G
        Gez
        last edited by Dec 12, 2006, 6:43 PM

        @jeroen234:

        icmp is ping
        so you get source his ip destination youre ip then chanced by pfsense to destination his ip

        I've never seen this behaviour on other firewalls.  I've used m0n0wall and Smoothwall Express and neither of them logs ICMP entries like this.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Dec 12, 2006, 8:20 PM

          Thats because other firewalls use a different filtering stack.

          m0n0wall uses ipfilter
          pfSense uses pf
          linux uses something with chain in the name I am sure

          1 Reply Last reply Reply Quote 0
          • B
            billm
            last edited by Dec 13, 2006, 2:36 PM

            @Gez:

            Hi,

            just installed pfSense 1.0 on a hard disk last week.  Default rules.

            On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source!  On TCP port 80 the destination was my own IP address.

            Here's an example:

            WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP

            The TCP entries show that the destination is my own IP address:

            WAN Interface Src.  89.207.xxx.xxx:80  Dest.  217.159.xxx.xxx:54954 TCP

            Am I missing something obvious here? it's surely not right that the source and destination IP addresses for ICMP entries should be the same?

            Thank you.

            Gerard.

            Doesn't sound right to me…otoh, I've also never seen this behaviour.  Possibly something screwed up with log parsing (although I'm skeptical...that code has been rewritten more times than anything else in the system).

            --Bill

            pfSense core developer
            blog - http://www.ucsecurity.com/
            twitter - billmarquette

            1 Reply Last reply Reply Quote 0
            • G
              Gez
              last edited by Dec 13, 2006, 5:52 PM

              @Gez:

              On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source!  On TCP port 80 the destination was my own IP address.

              Here's an example:

              WAN Interface Src. 89.207.xxx.xxx   Dest.  89.207.xxx.xxx ICMP

              @billm:

              Doesn't sound right to me…otoh, I've also never seen this behaviour.  Possibly something screwed up with log parsing (although I'm skeptical...that code has been rewritten more times than anything else in the system).

              I think it might have something to do with logging indeed – today i have noticed that logging is very erratic.  I upgraded version 1.0 to 1.0.1 but I might just do a clean install of 1.0.1 and see what happens. I do like the firewall but I'm a bit uneasy about it at the moment.

              1 Reply Last reply Reply Quote 0
              • S
                sai
                last edited by Dec 14, 2006, 5:34 PM

                @Gez:

                WAN Interface Src. 89.207.xxx.xxx   Dest.  89.207.xxx.xxx ICMP

                I'm no expert, but it seems to me that the only way to get this  packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way.

                1 Reply Last reply Reply Quote 0
                • G
                  Gez
                  last edited by Dec 16, 2006, 1:19 AM

                  @Gez:

                  WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP

                  @sai:

                  I'm no expert, but it seems to me that the only way to get this  packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way.

                  Well I don't know if this is has something to do with it as I'm no expert either but my only broadband option here in rural Ireland is satellite broadband, which has the peculiar feature that if I do a traceroute to any external website I notice that packets are routed from my private address space of 192.168.30.0 out through the satellite modem, with its public, fixed IP address on the WAN interface, and back to another private 192.168.4.0 address space somewhere in Germany, taking 2 hops there, before finally taking its course through routers with public addresses again.  I've never really questioned it as I assumed satellite works differently but it does seem a bit odd.

                  As for logging, yes it's not working properly. It works for about 10-20 minutes and then stops logging completely till I reboot.  I've done a completely fresh hard disk install of 1.0.1 but same problem.

                  1 Reply Last reply Reply Quote 0
                  2 out of 8
                  • First post
                    2/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received