We use Sonicwall SOHO2 / SOHO3 devices for VPN connectivity to our core
running FW-1.
The following came to our attention recently, and I was interested if
anyone has seen something
similar when using these devices.
With default rule disabled: Disable default Src: LAN Dst: ALL
This rule is the last rule (default) and number 26 which allows any traffic
to pass from the LAN to the WAN.
We stop packets going out from the LAN on ports we don't know about.
In this case the DNS server is 167.206.7.4
The firewall gateway LAN address is 192.168.1.1
The firewall WAN address is 24.184.168.52
A NT server on the internal LAN is 192.168.1.22
There is NO Public IP address configured for ANY service
Recently in a Hub based cable modem environment we found the following:
Message Source
Destination Notes
Rule 22:02:13.768 UDP packet
dropped 167.206.7.4,53 WAN 24.184.168.52,5470 WAN
22:02:13.784 ICMP packet
dropped 192.168.1.22,3,LAN 167.206.7.4,3,WAN Dest
Unreachable 26
22:03:43.800 UDP packet dropped 167.206.7.4,53
WAN 24.184.168.52,5470 WAN
22:03:43:816 ICMP packet
dropped 192.168.1.22,3,LAN 167.206.7.4,3,WAN Dest
Unreachable 26
22:05:13.864 UDP packet dropped 167.206.7.4,53
WAN 24.184.168.52,5470 WAN
22:05:13.864 ICMP packet
dropped 192.168.1.22,3,LAN 167.206.7.4,3,WAN Dest
Unreachable 26
It continues for what appears every 30 seconds. My problem is if the DNS
inbound packet is really dropped,
why is my internal server responding to this packet as a "Destination
Unreachable". (Note that I allow
LAN to WAN Ping request and response to pass, but not ICMP type 3. So it
is blocking the packet out
to the internet. My question is why it should have ever received any
packed based on the DNS packet in the
first place????
BTW - The server 192.168.1.22 is a Win2K AS NT server with DNS Server and
Client disabled. No routing
or other services enabled. It is not even a part of a domain, it is in a
simple workgroup. This may have no
bearing on the problem, but I figure if the packet was stopped at the WAN
interface, it should not have generated
a packet on the LAN that a server responded to with a "Dest Unreachable"
ICMP type 3!!
Most people run the Sonicwall's with the "Default" LAN to any enabled, so
they wouldn't even see this
under normal conditions. I disable default when I found a shareware
utility running on my network was
communicating system and Network information out port 63002 to a specific
Host IP. Then there was
"GameSpy" doing something similar.... So now I block all unknown LAN to
WAN communications.
Any thoughts on this behavior? I consider this a serious security
flaw. If my Checkpoint FW-1 dumped a packet
and generated a "reaction" packet on my internal LAN because of the
external dropped packet, I would
be banging at Checkpoint's door!
Thanks
Mark J. DeFilippis
Sr. Network Architect
Mycroft Information Systems
--------------------------
Mark J. DeFilippis
Mycroft Inc - www.mycroftinc.com
12 E 44th St
New York, NY 10017
Tel: 212-632-1928
Cell: 516-330-3809
Fax: 561-264-3101
mark.defilippisat_private
#include <std/disclaimer.h>
In no way does my opinion reflect the opinion of my employer unless
explicitly stated
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 16:26:20 PST