Hello, My network has an external interface, eth0 and 3 internal subnets 10.9.9.x, 10.9.18.x and 10.9.27.x. By accident I saw that I can ping a private IP, which should not be mine, 10.18.9.153. What could be wrong in my setup? Thank you. My shorewall/interfaces contains: net eth0 detect dhcp,routefilter,norfc1918,blacklist loc eth1 detect wifi eth2 detect maclist dmz eth3 detect My interfaces are 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:60:08:55:a8:fa brd ff:ff:ff:ff:ff:ff inet 10.9.9.254/24 brd 10.9.9.255 scope global eth1 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:10:4b:21:02:ae brd ff:ff:ff:ff:ff:ff inet 10.9.18.254/24 brd 10.9.18.255 scope global eth2 6: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:10:4b:2c:a9:ef brd ff:ff:ff:ff:ff:ff inet 10.9.27.254/24 brd 10.9.27.255 scope global eth3 The tracert ouput from Windows 2000 shows the following: Reply from 10.18.9.153: bytes=32 time=50ms TTL=241 Ping statistics for 10.18.9.153: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 50ms, Maximum = 50ms, Average = 50ms C:\>tracert 10.18.9.153 Tracing route to 10.18.9.153 over a maximum of 30 hops 1 * * * Request timed out. 2 10 ms 10 ms 10 ms 10.214.128.1 3 10 ms <10 ms 10 ms bar01-p12-1-0.nbpthe1.ma.attbb.net [24.128.9.161] 4 10 ms 10 ms 10 ms bar01-p10-0-0.cncrhe1.nh.attbb.net [24.128.9.37] 5 10 ms <10 ms 10 ms bar03-f6-7.wobnhe1.ma.attbb.net [24.128.9.81] 6 10 ms 10 ms 10 ms 24.128.9.89 7 10 ms 10 ms 10 ms 12.125.39.77 8 10 ms 10 ms 11 ms gbr1-p70.cb1ma.ip.att.net [12.123.40.98] 9 40 ms 10 ms 10 ms tbr2-p013502.cb1ma.ip.att.net [12.122.5.57] 10 40 ms 30 ms 30 ms tbr2-cl5.cgcil.ip.att.net [12.122.10.106] 11 40 ms 31 ms 30 ms gbr1-p40.cgcil.ip.att.net [12.122.11.50] 12 40 ms 30 ms 30 ms gar1-p360.cgcil.ip.att.net [12.123.5.73] 13 40 ms 50 ms 40 ms 12-215-4-225.client.mchsi.com [12.215.4.225] 14 50 ms 41 ms 50 ms 12-215-15-66.client.mchsi.com [12.215.15.66] 15 50 ms 50 ms 50 ms 10.18.9.153 Trace complete.
On Tuesday 09 March 2004 05:47 am, M Lu wrote:> Hello, > > My network has an external interface, eth0 and 3 internal subnets 10.9.9.x, > 10.9.18.x and 10.9.27.x. By accident I saw that I can ping a private IP, > which should not be mine, 10.18.9.153. > > What could be wrong in my setup? > > Thank you. > > > My shorewall/interfaces contains: > > net eth0 detect > dhcp,routefilter,norfc1918,blacklist loc eth1 detect > wifi eth2 detect maclist > dmz eth3 detect > > My interfaces are > > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:60:08:55:a8:fa brd ff:ff:ff:ff:ff:ff > inet 10.9.9.254/24 brd 10.9.9.255 scope global eth1 > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:10:4b:21:02:ae brd ff:ff:ff:ff:ff:ff > inet 10.9.18.254/24 brd 10.9.18.255 scope global eth2 > 6: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:10:4b:2c:a9:ef brd ff:ff:ff:ff:ff:ff > inet 10.9.27.254/24 brd 10.9.27.255 scope global eth3Please forward the output of "shorewall show nat" as a text attachment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 09 March 2004 07:13 am, Tom Eastep wrote:> On Tuesday 09 March 2004 05:47 am, M Lu wrote: > > Hello, > > > > My network has an external interface, eth0 and 3 internal subnets > > 10.9.9.x, 10.9.18.x and 10.9.27.x. By accident I saw that I can ping a > > private IP, which should not be mine, 10.18.9.153. > > > > What could be wrong in my setup? > > > > Thank you. > > > > > > My shorewall/interfaces contains: > > > > net eth0 detect > > dhcp,routefilter,norfc1918,blacklist loc eth1 detect > > wifi eth2 detect maclist > > dmz eth3 detect > > > > My interfaces are > > > > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:60:08:55:a8:fa brd ff:ff:ff:ff:ff:ff > > inet 10.9.9.254/24 brd 10.9.9.255 scope global eth1 > > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:10:4b:21:02:ae brd ff:ff:ff:ff:ff:ff > > inet 10.9.18.254/24 brd 10.9.18.255 scope global eth2 > > 6: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:10:4b:2c:a9:ef brd ff:ff:ff:ff:ff:ff > > inet 10.9.27.254/24 brd 10.9.27.255 scope global eth3 > > Please forward the output of "shorewall show nat" as a text attachment.There are two issues here: a) How are you able to route packets across the internet to an RFC 1918 address? The answer to that is that DNAT must be occurring before the outbound packets reach the internet and that DNAT is also occurring on the remote end. From the "shorewall show nat" output you sent, it appears that the outbound DNAT is occurring at your ISP. I don''t believe that any form of tunneling is involved here because the intermediate routers all show up in the traceroute output. b) Why didn''t ''norfc1918'' prevent this? Because that option only checks new connection requests from the internet; it does not check replies to connections initiated from your firewall or from your local systems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, I can understand your explanation in b), i.e. Shorewall does not check the reply to request initiated from my end. But I do not understand a) very well. Does that mean my Shorewall setup is wrong or my ISP''s setup is wrong? Do I have to be worried about somebody on my ISP network be able to hack into my internal subnets (probably not according to your b), but I just want to be sure)? Could you explain a little bit more and point me to the lines in my "shorewall show nat" where it says DNAT occurs at my ISP. Thanks a lot for your prompt support as usual. M Lu. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Experienced Shorewall Users" <shorewall-users@lists.shorewall.net>; "M Lu" <mlu919@hotmail.com> Sent: Tuesday, March 09, 2004 10:38 AM Subject: Re: [Shorewall-users] How can I ping a private IP> On Tuesday 09 March 2004 07:13 am, Tom Eastep wrote: > > On Tuesday 09 March 2004 05:47 am, M Lu wrote:..> > > private IP, which should not be mine, 10.18.9.153. > > >..> > > My shorewall/interfaces contains: > > > > > > net eth0 detectdhcp,routefilter,norfc1918,blacklist loc eth1 detect> > Please forward the output of "shorewall show nat" as a text attachment. > > There are two issues here: > > a) How are you able to route packets across the internet to an RFC 1918 > address? The answer to that is that DNAT must be occurring before the > outbound packets reach the internet and that DNAT is also occurring on the > remote end. From the "shorewall show nat" output you sent, it appears that > the outbound DNAT is occurring at your ISP. I don''t believe that any formof> tunneling is involved here because the intermediate routers all show up in > the traceroute output. > > b) Why didn''t ''norfc1918'' prevent this? Because that option only checksnew> connection requests from the internet; it does not check replies to > connections initiated from your firewall or from your local systems. > > -Tom > --
On Tuesday 09 March 2004 08:46 am, M Lu wrote:> Hi Tom, > > I can understand your explanation in b), i.e. Shorewall does not check the > reply to request initiated from my end. But I do not understand a) very > well. Does that mean my Shorewall setup is wrong or my ISP''s setup is > wrong? Do I have to be worried about somebody on my ISP network be able to > hack into my internal subnets (probably not according to your b), but I > just want to be sure)?No -- you do not have to worry about that.> > Could you explain a little bit more and point me to the lines in my > "shorewall show nat" where it says DNAT occurs at my ISP.It is the absence of any DNAT entry in your output that leads me to believe that it must be occuring at your ISP. Note the appearance of 10.214.128.1 in the traceroute output; I suspect that is where the destination IP address is being rewritten. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net