Source and destination the same

Gez · Dec 12, 2006, 10:50 AM

Hi,

just installed pfSense 1.0 on a hard disk last week. Default rules.

On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source! On TCP port 80 the destination was my own IP address.

Here's an example:

WAN Interface Src. 89.207.xxx.xxx Dest. 89.207.xxx.xxx ICMP

The TCP entries show that the destination is my own IP address:

WAN Interface Src. 89.207.xxx.xxx:80 Dest. 217.159.xxx.xxx:54954 TCP

Am I missing something obvious here? it's surely not right that the source and destination IP addresses for ICMP entries should be the same?

Thank you.

Gerard.

jeroen234 · Dec 12, 2006, 6:05 PM

icmp is ping
so you get source his ip destination youre ip then chanced by pfsense to destination his ip

Gez · Dec 12, 2006, 6:43 PM

@jeroen234:

icmp is ping
so you get source his ip destination youre ip then chanced by pfsense to destination his ip

I've never seen this behaviour on other firewalls. I've used m0n0wall and Smoothwall Express and neither of them logs ICMP entries like this.

sullrich · Dec 12, 2006, 8:20 PM

Thats because other firewalls use a different filtering stack.

m0n0wall uses ipfilter
pfSense uses pf
linux uses something with chain in the name I am sure

billm · Dec 13, 2006, 2:36 PM

@Gez:

Hi,

just installed pfSense 1.0 on a hard disk last week. Default rules.

On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source! On TCP port 80 the destination was my own IP address.

Here's an example:

WAN Interface Src. 89.207.xxx.xxx Dest. 89.207.xxx.xxx ICMP

The TCP entries show that the destination is my own IP address:

WAN Interface Src. 89.207.xxx.xxx:80 Dest. 217.159.xxx.xxx:54954 TCP

Am I missing something obvious here? it's surely not right that the source and destination IP addresses for ICMP entries should be the same?

Thank you.

Gerard.

Doesn't sound right to me…otoh, I've also never seen this behaviour. Possibly something screwed up with log parsing (although I'm skeptical...that code has been rewritten more times than anything else in the system).

--Bill

Gez · Dec 13, 2006, 5:52 PM

@Gez:

On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source! On TCP port 80 the destination was my own IP address.

Here's an example:

WAN Interface Src. 89.207.xxx.xxx Dest. 89.207.xxx.xxx ICMP

@billm:

Doesn't sound right to me…otoh, I've also never seen this behaviour. Possibly something screwed up with log parsing (although I'm skeptical...that code has been rewritten more times than anything else in the system).

I think it might have something to do with logging indeed – today i have noticed that logging is very erratic. I upgraded version 1.0 to 1.0.1 but I might just do a clean install of 1.0.1 and see what happens. I do like the firewall but I'm a bit uneasy about it at the moment.

sai · Dec 14, 2006, 5:34 PM

@Gez:

WAN Interface Src. 89.207.xxx.xxx Dest. 89.207.xxx.xxx ICMP

I'm no expert, but it seems to me that the only way to get this packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way.

Gez · Dec 16, 2006, 1:19 AM

@Gez:

WAN Interface Src. 89.207.xxx.xxx Dest. 89.207.xxx.xxx ICMP

@sai:

I'm no expert, but it seems to me that the only way to get this packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way.

Well I don't know if this is has something to do with it as I'm no expert either but my only broadband option here in rural Ireland is satellite broadband, which has the peculiar feature that if I do a traceroute to any external website I notice that packets are routed from my private address space of 192.168.30.0 out through the satellite modem, with its public, fixed IP address on the WAN interface, and back to another private 192.168.4.0 address space somewhere in Germany, taking 2 hops there, before finally taking its course through routers with public addresses again. I've never really questioned it as I assumed satellite works differently but it does seem a bit odd.

As for logging, yes it's not working properly. It works for about 10-20 minutes and then stops logging completely till I reboot. I've done a completely fresh hard disk install of 1.0.1 but same problem.