I can see the very same thing happening to one of my firewalls. It looks
like some kind of attempt to spoof the loopback address. Run a tcpdump and
use -e to show ethernet source and dest MAC addresses. (I used tcpdump -n -e
-i eth4c0 host 127.0.0.1). When I did this the packets claiming to be from
127.0.0.1 are actually originating from the internet router MAC address. I
don't think it's of great concern as the firewall is dropping all the
packets but I'd be interested to hear if anyone knows anymore about it
though..
-----Original Message-----
From: José María Gabaldón [mailto:jgabaldon AT CYBERTECHPROJECTS DOT COM]
Sent: 20 February 2004 15:48
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Loopback address spoofing
Hi guys,
I have a little problem, we have a Solaris running Check Point NG FP3, and
everything works fine. However in the logs we get continously (maybe every
20 seconds or so) a drop log message that says:
Source: localhost
Destination: FW_EXTERNAL_IP_ADDRESS
Source port: http
Action: DROP
Reason: Loopback address spoofing.
I guess what does this log entry means, could be some internal hacker trying
to really spoof the loopback address of the firewall?, or maybe is just a
misconfiugration?. If so, how can I troubleshoot the problem?
I hope you can help me, thanks in advance! _______________________________
José María Gabaldón
Network Security Engineer
email: jgabaldon AT cybertech.com DOT ve
www.cybertech.com.ve
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------------------------------------------------------
The opinions expressed within this email represent those of the
individual and not necessarily those of Gullivers Travel Associates (GTA).
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify postmaster AT gta-travel
DOT com.
Should you wish to use email as a form of communication, GTA are unable to
guarantee the security of email content outside of our own computer systems.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
