Solved

access-list to block ip spoof

Posted on 2003-10-27
8
1,829 Views
Last Modified: 2007-12-19
I have a PIX firewall that is connected to the Internet (without router). I am seeing a lot of deny ip spood from 127.0.0.1 on my syslog. I know that you can implement some access-list on the router to fight ip spoof but I tried the same command in my pix without success. what are the rights command on the pix to fight ip spoof?
0
Comment
Question by:tshi5791
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9675953
A good reference is here:
http://www.thewaystation.com/techref/internet-in.shtml

The main thrust of it is that you should block inbound traffic on your outside interface from those addresses that will NEVER be valid on that interface (ie. loopback address, private addresses, broadcast addresses, etc.)

To be safe you would also apply an access list inbound on your inside interface only allowing traffic from the subnet ranges that are actually on your inside network.

The above link is for Cisco routers, but is easily modified for the PIX. Just remember that the subnet masks are backwards !
0
 

Author Comment

by:tshi5791
ID: 9851430
Hi td_miles

Though I am getting this message from my syslog:
"2003-12-01 08:28:22      User.Critical      194.10.1.110      Dec 01 2003 09:31:49: %PIX-2-106016: Deny IP spoof from (127.0.0.1) to 216.75.X.X on interface outside",

when I look at my firewall log, I don't the number of count.
Below is a part of my access-list.
access-list 104 deny ip 0.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 255.255.255.0 any log
access-list 104 deny ip 172.16.0.0 255.255.0.0 any log
access-list 104 deny ip 192.168.0.0 255.255.0.0 any log
access-list 104 deny ip 224.0.0.0 255.255.255.0 any log
access-list 104 deny ip 192.0.0.0 255.255.255.0 any log
access-list 104 deny ip host 127.0.0.1 any log

This acce
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9854374
Is access-list 104 applied to the outside interface ?

from the PIX, use the command "sho access-list 104" and see if it is matching your deny statements for 127.0.0.0/24 by the number of time is has matched this line of the ACL.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:tshi5791
ID: 9858096
Hi td_miles

yes the access-list is applied to the outside interface.

When I do "show access-list 104", I don't see any increasing in hit counts.
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9863157
from what you have posted above, you are only showing part of the access-list. Can you post the whole access-list please. It is possible that a previous line in the ACL is matching the traffic first and so it is not getting to the deny statements.
0
 

Author Comment

by:tshi5791
ID: 9867640
Here is.

access-list 104; 43 elements
access-list 104 line 1 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 2 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=0)
access-list 104 line 3 permit tcp any host 216.75.X.Y eq 7622 (hitcnt=0)
access-list 104 line 4 permit tcp any host 216.75.X.Y eq 7650 (hitcnt=0)
access-list 104 line 5 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 6 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 7 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 8 permit tcp any host 216.75.X.Y eq ftp (hitcnt=12)
access-list 104 line 9 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=97)
access-list 104 line 10 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 11 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=4)
access-list 104 line 12 permit tcp any host 216.75.X.Y eq 8720 (hitcnt=100)
access-list 104 line 13 permit tcp any host 216.75.X.Y eq 8750 (hitcnt=0)
access-list 104 line 14 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=24)
access-list 104 line 15 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 16 permit tcp any host 216.75.X.Y eq 2070 (hitcnt=111)
access-list 104 line 17 permit tcp any host 216.75.X.Y eq 5001 (hitcnt=109)
access-list 104 line 18 deny tcp any any eq 445 log 6 interval 300 (hitcnt=92)
access-list 104 line 19 deny udp any any eq 445 log 6 interval 300 (hitcnt=0)
access-list 104 line 20 deny tcp any any eq 135 log 6 interval 300 (hitcnt=1139)
access-list 104 line 21 deny udp any any eq 135 log 6 interval 300 (hitcnt=0)
access-list 104 line 22 deny tcp any any eq 137 log 6 interval 300 (hitcnt=0)
access-list 104 line 23 deny udp any any eq netbios-ns log 6 interval 300 (hitcnt=1054)
access-list 104 line 24 deny udp any any eq tftp log 6 interval 300 (hitcnt=0)
access-list 104 line 25 deny udp any any eq netbios-dgm log 6 interval 300 (hitcnt=0)
access-list 104 line 26 deny udp any any eq 139 log 6 interval 300 (hitcnt=0)
access-list 104 line 27 deny tcp any any eq netbios-ssn log 6 interval 300 (hitcnt=81)
access-list 104 line 28 deny tcp any any eq 593 log 6 interval 300 (hitcnt=0)
access-list 104 line 29 deny tcp any any eq 4444 log 6 interval 300 (hitcnt=0)
access-list 104 line 30 deny icmp any any (hitcnt=46236)
access-list 104 line 31 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 32 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 33 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 34 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 35 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 36 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
0
 
LVL 13

Accepted Solution

by:
td_miles earned 100 total points
ID: 9870839
After reading some documentation on the spoofing log message, it appears that the PIX is automatically configured to deny packets with an invalid source address, specifically where the source address:

* Loopback network (127.0.0.0)
* Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)
* The destination host (land.c)

Which would mean that the PIX is blocking it automatically and you don't need it in the ACL (and hence why it is not being matched in the ACL, the PIX blocks it before it gets to the ACL).

If you want to stop this message from appearing in the logs, use the "no log" command:

no logging message 106016

or you can change the level that it logs this message at, again using the logging command:

logging message 106016 level 6   (to log it at the info level)

My apologies for not checking on this sooned.
0
 

Author Comment

by:tshi5791
ID: 9874155
td_miles,

No need to apologize. I thank you for taking time to help me out. I did come across smilar docs but was not sure. It always good to get a secon opinion.

Thanks again.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question