Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Source and destination the same

    Firewalling
    5
    8
    4798
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gez last edited by

      Hi,

      just installed pfSense 1.0 on a hard disk last week.  Default rules.

      On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source!  On TCP port 80 the destination was my own IP address.

      Here's an example:

      WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP

      The TCP entries show that the destination is my own IP address:

      WAN Interface Src.  89.207.xxx.xxx:80  Dest.  217.159.xxx.xxx:54954 TCP

      Am I missing something obvious here? it's surely not right that the source and destination IP addresses for ICMP entries should be the same?

      Thank you.

      Gerard.

      1 Reply Last reply Reply Quote 0
      • J
        jeroen234 last edited by

        icmp is ping
        so you get source his ip destination youre ip then chanced by pfsense to destination his ip

        1 Reply Last reply Reply Quote 0
        • G
          Gez last edited by

          @jeroen234:

          icmp is ping
          so you get source his ip destination youre ip then chanced by pfsense to destination his ip

          I've never seen this behaviour on other firewalls.  I've used m0n0wall and Smoothwall Express and neither of them logs ICMP entries like this.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich last edited by

            Thats because other firewalls use a different filtering stack.

            m0n0wall uses ipfilter
            pfSense uses pf
            linux uses something with chain in the name I am sure

            1 Reply Last reply Reply Quote 0
            • B
              billm last edited by

              @Gez:

              Hi,

              just installed pfSense 1.0 on a hard disk last week.  Default rules.

              On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source!  On TCP port 80 the destination was my own IP address.

              Here's an example:

              WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP

              The TCP entries show that the destination is my own IP address:

              WAN Interface Src.  89.207.xxx.xxx:80  Dest.  217.159.xxx.xxx:54954 TCP

              Am I missing something obvious here? it's surely not right that the source and destination IP addresses for ICMP entries should be the same?

              Thank you.

              Gerard.

              Doesn't sound right to me…otoh, I've also never seen this behaviour.  Possibly something screwed up with log parsing (although I'm skeptical...that code has been rewritten more times than anything else in the system).

              --Bill

              pfSense core developer
              blog - http://www.ucsecurity.com/
              twitter - billmarquette

              1 Reply Last reply Reply Quote 0
              • G
                Gez last edited by

                @Gez:

                On Saturday, while browsing a certain website, I noticed in syslog that quite a number of probes (50+) on my system were coming from an IP address assigned to this particular organisation, but for ICMP entries the destination IP address was the same as the source!  On TCP port 80 the destination was my own IP address.

                Here's an example:

                WAN Interface Src. 89.207.xxx.xxx   Dest.  89.207.xxx.xxx ICMP

                @billm:

                Doesn't sound right to me…otoh, I've also never seen this behaviour.  Possibly something screwed up with log parsing (although I'm skeptical...that code has been rewritten more times than anything else in the system).

                I think it might have something to do with logging indeed – today i have noticed that logging is very erratic.  I upgraded version 1.0 to 1.0.1 but I might just do a clean install of 1.0.1 and see what happens. I do like the firewall but I'm a bit uneasy about it at the moment.

                1 Reply Last reply Reply Quote 0
                • S
                  sai last edited by

                  @Gez:

                  WAN Interface Src. 89.207.xxx.xxx   Dest.  89.207.xxx.xxx ICMP

                  I'm no expert, but it seems to me that the only way to get this  packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way.

                  1 Reply Last reply Reply Quote 0
                  • G
                    Gez last edited by

                    @Gez:

                    WAN Interface Src. 89.207.xxx.xxx  Dest.  89.207.xxx.xxx ICMP

                    @sai:

                    I'm no expert, but it seems to me that the only way to get this  packet is either your ISP is acting up or your firewall is not logging correctly. The ISP shouldn't route that packet to you. No way.

                    Well I don't know if this is has something to do with it as I'm no expert either but my only broadband option here in rural Ireland is satellite broadband, which has the peculiar feature that if I do a traceroute to any external website I notice that packets are routed from my private address space of 192.168.30.0 out through the satellite modem, with its public, fixed IP address on the WAN interface, and back to another private 192.168.4.0 address space somewhere in Germany, taking 2 hops there, before finally taking its course through routers with public addresses again.  I've never really questioned it as I assumed satellite works differently but it does seem a bit odd.

                    As for logging, yes it's not working properly. It works for about 10-20 minutes and then stops logging completely till I reboot.  I've done a completely fresh hard disk install of 1.0.1 but same problem.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post