access-list to block ip spoof

I have a PIX firewall that is connected to the Internet (without router). I am seeing a lot of deny ip spood from 127.0.0.1 on my syslog. I know that you can implement some access-list on the router to fight ip spoof but I tried the same command in my pix without success. what are the rights command on the pix to fight ip spoof?
tshi5791Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
A good reference is here:
http://www.thewaystation.com/techref/internet-in.shtml

The main thrust of it is that you should block inbound traffic on your outside interface from those addresses that will NEVER be valid on that interface (ie. loopback address, private addresses, broadcast addresses, etc.)

To be safe you would also apply an access list inbound on your inside interface only allowing traffic from the subnet ranges that are actually on your inside network.

The above link is for Cisco routers, but is easily modified for the PIX. Just remember that the subnet masks are backwards !
tshi5791Author Commented:
Hi td_miles

Though I am getting this message from my syslog:
"2003-12-01 08:28:22      User.Critical      194.10.1.110      Dec 01 2003 09:31:49: %PIX-2-106016: Deny IP spoof from (127.0.0.1) to 216.75.X.X on interface outside",

when I look at my firewall log, I don't the number of count.
Below is a part of my access-list.
access-list 104 deny ip 0.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 255.255.255.0 any log
access-list 104 deny ip 172.16.0.0 255.255.0.0 any log
access-list 104 deny ip 192.168.0.0 255.255.0.0 any log
access-list 104 deny ip 224.0.0.0 255.255.255.0 any log
access-list 104 deny ip 192.0.0.0 255.255.255.0 any log
access-list 104 deny ip host 127.0.0.1 any log

This acce
td_milesCommented:
Is access-list 104 applied to the outside interface ?

from the PIX, use the command "sho access-list 104" and see if it is matching your deny statements for 127.0.0.0/24 by the number of time is has matched this line of the ACL.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

tshi5791Author Commented:
Hi td_miles

yes the access-list is applied to the outside interface.

When I do "show access-list 104", I don't see any increasing in hit counts.
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
td_milesCommented:
from what you have posted above, you are only showing part of the access-list. Can you post the whole access-list please. It is possible that a previous line in the ACL is matching the traffic first and so it is not getting to the deny statements.
tshi5791Author Commented:
Here is.

access-list 104; 43 elements
access-list 104 line 1 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 2 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=0)
access-list 104 line 3 permit tcp any host 216.75.X.Y eq 7622 (hitcnt=0)
access-list 104 line 4 permit tcp any host 216.75.X.Y eq 7650 (hitcnt=0)
access-list 104 line 5 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 6 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 7 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 8 permit tcp any host 216.75.X.Y eq ftp (hitcnt=12)
access-list 104 line 9 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=97)
access-list 104 line 10 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 11 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=4)
access-list 104 line 12 permit tcp any host 216.75.X.Y eq 8720 (hitcnt=100)
access-list 104 line 13 permit tcp any host 216.75.X.Y eq 8750 (hitcnt=0)
access-list 104 line 14 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=24)
access-list 104 line 15 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 16 permit tcp any host 216.75.X.Y eq 2070 (hitcnt=111)
access-list 104 line 17 permit tcp any host 216.75.X.Y eq 5001 (hitcnt=109)
access-list 104 line 18 deny tcp any any eq 445 log 6 interval 300 (hitcnt=92)
access-list 104 line 19 deny udp any any eq 445 log 6 interval 300 (hitcnt=0)
access-list 104 line 20 deny tcp any any eq 135 log 6 interval 300 (hitcnt=1139)
access-list 104 line 21 deny udp any any eq 135 log 6 interval 300 (hitcnt=0)
access-list 104 line 22 deny tcp any any eq 137 log 6 interval 300 (hitcnt=0)
access-list 104 line 23 deny udp any any eq netbios-ns log 6 interval 300 (hitcnt=1054)
access-list 104 line 24 deny udp any any eq tftp log 6 interval 300 (hitcnt=0)
access-list 104 line 25 deny udp any any eq netbios-dgm log 6 interval 300 (hitcnt=0)
access-list 104 line 26 deny udp any any eq 139 log 6 interval 300 (hitcnt=0)
access-list 104 line 27 deny tcp any any eq netbios-ssn log 6 interval 300 (hitcnt=81)
access-list 104 line 28 deny tcp any any eq 593 log 6 interval 300 (hitcnt=0)
access-list 104 line 29 deny tcp any any eq 4444 log 6 interval 300 (hitcnt=0)
access-list 104 line 30 deny icmp any any (hitcnt=46236)
access-list 104 line 31 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 32 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 33 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 34 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 35 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 36 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
td_milesCommented:
After reading some documentation on the spoofing log message, it appears that the PIX is automatically configured to deny packets with an invalid source address, specifically where the source address:

* Loopback network (127.0.0.0)
* Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)
* The destination host (land.c)

Which would mean that the PIX is blocking it automatically and you don't need it in the ACL (and hence why it is not being matched in the ACL, the PIX blocks it before it gets to the ACL).

If you want to stop this message from appearing in the logs, use the "no log" command:

no logging message 106016

or you can change the level that it logs this message at, again using the logging command:

logging message 106016 level 6   (to log it at the info level)

My apologies for not checking on this sooned.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tshi5791Author Commented:
td_miles,

No need to apologize. I thank you for taking time to help me out. I did come across smilar docs but was not sure. It always good to get a secon opinion.

Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.