access-list to block ip spoof

I have a PIX firewall that is connected to the Internet (without router). I am seeing a lot of deny ip spood from 127.0.0.1 on my syslog. I know that you can implement some access-list on the router to fight ip spoof but I tried the same command in my pix without success. what are the rights command on the pix to fight ip spoof?
tshi5791Asked:
Who is Participating?
 
td_milesCommented:
After reading some documentation on the spoofing log message, it appears that the PIX is automatically configured to deny packets with an invalid source address, specifically where the source address:

* Loopback network (127.0.0.0)
* Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)
* The destination host (land.c)

Which would mean that the PIX is blocking it automatically and you don't need it in the ACL (and hence why it is not being matched in the ACL, the PIX blocks it before it gets to the ACL).

If you want to stop this message from appearing in the logs, use the "no log" command:

no logging message 106016

or you can change the level that it logs this message at, again using the logging command:

logging message 106016 level 6   (to log it at the info level)

My apologies for not checking on this sooned.
0
 
td_milesCommented:
A good reference is here:
http://www.thewaystation.com/techref/internet-in.shtml

The main thrust of it is that you should block inbound traffic on your outside interface from those addresses that will NEVER be valid on that interface (ie. loopback address, private addresses, broadcast addresses, etc.)

To be safe you would also apply an access list inbound on your inside interface only allowing traffic from the subnet ranges that are actually on your inside network.

The above link is for Cisco routers, but is easily modified for the PIX. Just remember that the subnet masks are backwards !
0
 
tshi5791Author Commented:
Hi td_miles

Though I am getting this message from my syslog:
"2003-12-01 08:28:22      User.Critical      194.10.1.110      Dec 01 2003 09:31:49: %PIX-2-106016: Deny IP spoof from (127.0.0.1) to 216.75.X.X on interface outside",

when I look at my firewall log, I don't the number of count.
Below is a part of my access-list.
access-list 104 deny ip 0.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 255.255.255.0 any log
access-list 104 deny ip 172.16.0.0 255.255.0.0 any log
access-list 104 deny ip 192.168.0.0 255.255.0.0 any log
access-list 104 deny ip 224.0.0.0 255.255.255.0 any log
access-list 104 deny ip 192.0.0.0 255.255.255.0 any log
access-list 104 deny ip host 127.0.0.1 any log

This acce
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
td_milesCommented:
Is access-list 104 applied to the outside interface ?

from the PIX, use the command "sho access-list 104" and see if it is matching your deny statements for 127.0.0.0/24 by the number of time is has matched this line of the ACL.
0
 
tshi5791Author Commented:
Hi td_miles

yes the access-list is applied to the outside interface.

When I do "show access-list 104", I don't see any increasing in hit counts.
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
0
 
td_milesCommented:
from what you have posted above, you are only showing part of the access-list. Can you post the whole access-list please. It is possible that a previous line in the ACL is matching the traffic first and so it is not getting to the deny statements.
0
 
tshi5791Author Commented:
Here is.

access-list 104; 43 elements
access-list 104 line 1 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 2 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=0)
access-list 104 line 3 permit tcp any host 216.75.X.Y eq 7622 (hitcnt=0)
access-list 104 line 4 permit tcp any host 216.75.X.Y eq 7650 (hitcnt=0)
access-list 104 line 5 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 6 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 7 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 8 permit tcp any host 216.75.X.Y eq ftp (hitcnt=12)
access-list 104 line 9 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=97)
access-list 104 line 10 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 11 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=4)
access-list 104 line 12 permit tcp any host 216.75.X.Y eq 8720 (hitcnt=100)
access-list 104 line 13 permit tcp any host 216.75.X.Y eq 8750 (hitcnt=0)
access-list 104 line 14 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=24)
access-list 104 line 15 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 16 permit tcp any host 216.75.X.Y eq 2070 (hitcnt=111)
access-list 104 line 17 permit tcp any host 216.75.X.Y eq 5001 (hitcnt=109)
access-list 104 line 18 deny tcp any any eq 445 log 6 interval 300 (hitcnt=92)
access-list 104 line 19 deny udp any any eq 445 log 6 interval 300 (hitcnt=0)
access-list 104 line 20 deny tcp any any eq 135 log 6 interval 300 (hitcnt=1139)
access-list 104 line 21 deny udp any any eq 135 log 6 interval 300 (hitcnt=0)
access-list 104 line 22 deny tcp any any eq 137 log 6 interval 300 (hitcnt=0)
access-list 104 line 23 deny udp any any eq netbios-ns log 6 interval 300 (hitcnt=1054)
access-list 104 line 24 deny udp any any eq tftp log 6 interval 300 (hitcnt=0)
access-list 104 line 25 deny udp any any eq netbios-dgm log 6 interval 300 (hitcnt=0)
access-list 104 line 26 deny udp any any eq 139 log 6 interval 300 (hitcnt=0)
access-list 104 line 27 deny tcp any any eq netbios-ssn log 6 interval 300 (hitcnt=81)
access-list 104 line 28 deny tcp any any eq 593 log 6 interval 300 (hitcnt=0)
access-list 104 line 29 deny tcp any any eq 4444 log 6 interval 300 (hitcnt=0)
access-list 104 line 30 deny icmp any any (hitcnt=46236)
access-list 104 line 31 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 32 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 33 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 34 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 35 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 36 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
0
 
tshi5791Author Commented:
td_miles,

No need to apologize. I thank you for taking time to help me out. I did come across smilar docs but was not sure. It always good to get a secon opinion.

Thanks again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.