Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IP Spoofing

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charlie101
      last edited by

      I'm using PfSense in a home/office environment. I host a few sites for local groups on a ipv4/29 block and a ipv6 block. I recently notices some suspicious probing which appeared to be coming from an ipv4 address withing my block space.

      I assumed this was someone spoofing my IP(s) so I put an anti spoofing rule on the WAN. Namely; I blocked any ipv4 address within my address space from trying to access any address within that same block space.

      Shortly after I saw continuous attempts by 'my' WAN address to access each of my ipv4 addresses in turn, including the Wan address itself. These access attempts targeted ports 53 and 23.

      It strikes me as strange that the interface address assigned via my ISP to my WAN would be spoofed. specifically I can't see how that would work in terms of how the traffic would be routed. Hence I'm wondering if I broke something with my 'anti spoofing' rule? But I can't see how my rule, even if it broke something, would generate such behavior re: port 23 access?

      I'd be grateful to anyone who could shed some light on what might be going on here.

      Thanks.

      N johnpozJ 2 Replies Last reply Reply Quote 0
      • N
        netblues @charlie101
        last edited by

        @charlie101 said in IP Spoofing:

        Namely; I blocked any ipv4 address within my address space from trying to access any address within that same block space

        Just blocking your assigned ip's as incoming to your wan port is the most you can do, wan side

        Looks like it isnt spoofing.from remote.
        Most probably something hosted is the curlpit.
        Running packet capture and analyzing via Wireshark will reveal mac addresses and hopefully, hosts generating the probes.

        If random macs are found, you will need a managed switch to pinpoint the physical port addociated with the mac.

        C 1 Reply Last reply Reply Quote 0
        • C
          charlie101 @netblues
          last edited by

          @netblues
          Hi netblues
          Thanks for your reply. I will get onto that right away. I did set some monitoring jobs running on my Linux desktop and the server/containers: 'netstat -upnatc'. Which didn't show anything suspicious regarding IPs or Ports.
          I will start looking at the router in detail now, along with the packet inspection as you suggest..

          Thank again.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @charlie101
            last edited by

            @charlie101

            https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html#anti-spoofing-rules

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 1
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Yeah, I would expect it to be blocked anyway if some internal host was spoofing the WAN IP.

              What exactly are you seeing?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @charlie101
                last edited by

                @charlie101 I would also sniff the traffic - what is sending mac of the traffic.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                C 1 Reply Last reply Reply Quote 0
                • C
                  charlie101 @johnpoz
                  last edited by

                  @johnpoz
                  Hi Johnpoz

                  Thanks to you and all of the above for your replies.
                  I was seeing some very strange behavior which looked like some kind of corruption to me:-
                  Addresses were not being blocked even though they were clearly in a rule. Some addresses within an alias were being blocked while other were not. When I'd clicked on an alias it would open a different one to that clicked on. I tried a reboot to see if that cleared anything and during the pfsense startup my screen was just scrolling with errors of myriad description; file errors, device errors, api errors, version error and interface id errors ... ...
                  I have backups of my settings so I'm just going to do a rebuild and import, as currently I can't trust a thing I read. I'm guessing that was the issue all along and hopefully It will be cleared after the restore.

                  Thank for you help everyone.

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.