Possible stateful filtering problem?

First of all, I use FreeBSD with IPFilter and therefore also IPNAT for PAT/portmapping etc.

I map my external server IPs on the external interface of my firewall and then bimap them to the servers in the DMZ, while filtering it through ipf rules. The third interface of the firewall goes to the LAN.

I have one rule (and only this one rule) which allows Gnutella traffic to be forwarded from any external IPs to one internal (LAN) IP (my workstation). There is a corresponding IPNAT rule which portmaps this port to my PC.

ipf:
pass in quick on rl0 proto tcp from any to myhost port = 6346 flags S/SAFR keep state group 100

ipnat:
rdr rl0 123.45.67.8/32 port 6346 -> myhost.mydomain.ch port 6346 tcp

The example IP 123.45.67.8 would be the external IP of my firewall.

But now I regularly get the following messages from my DMZ server (IP values changed):

> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:19384
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:19384
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:20927
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:20927
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22117
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22117
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22359
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22359
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22609
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22609
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22853
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:22853
> Connection attempt to TCP 10.0.0.12:6346 from 10.0.0.1:25482

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

In the example above, my mailserver (.12) is affected, the packets are coming from my firewall (.1) through which those packets must pass.

But my internal network now has a completely different IP range, lets say 192.168.1.0/24. And the port is only mapped to one IP of those, my PC.

I suspect either a problem with the stateful filtering of IPFilter or it could also be my PC from the LAN which tries to connect to a badly configured Gnutella host which shows its LAN IP on the GnutellaNet, which again incidentially matches the IP of my mailserver in the DMZ.

But I see those packets reports from my mail or webserver way too often, and most aggraviating: they are also reported when my Gnutella Client (Limewire) is not running.

Further ideas?

-- 
Jonas Nagel 


----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core