internal ip's showing up in firewall logs

crazylegs · 07-14-2011, 12:54 PM

I've got a single UT box operating as a transparent bridge between my network and the outside world. I have several racks, but I'm seeing connections happen within my network in the firewall logs. For example, my domain controller is in a rack that has little access to or from outside my network with a few other devices with similar access needs. There's a couple of rules to allow outgoing on port 80 from a couple of devices, but otherwise, the default block all rule is in effect. What I've seen a few times and brushed off as a glitch is allowed connections from my domain controller in the internal-only rack to a device in my default rack. The rule associated with this entry in the log says rule 4 - which is the rule that allows and logs traffic from the DC's IP internal on any port to any external IP. But what's logged is xxx.xxx.xxx.xxx:389 to xxx.xxx.xxx.xxx:1027.

This doesn't really make sense. Can anyone help me understand what's going on and why this might be getting logged? Is this normal?

IHateShuttle · 07-14-2011, 02:02 PM

"rule 4 - which is the rule that allows and logs traffic from the DC's IP internal on any port to any external IP."

You have an allow any any on an interface for your DC? This seems like the expected behaviour. What is supposed to stop this communication?

Is the UT box the only router in this evironment? Do you have subnets? It sounds like the traffic is going through the UT box because it is acting like a router on a stick for your internal network. Hard to tell without more infromation.

crazylegs · 07-14-2011, 02:07 PM

"You have an allow any any on an interface for your DC?"

no... it's allow outgoing from any internal port coming from the IP of my DC to an external IP @ port 80.

"What is supposed to stop this communication?"

Nothing - but the traffic shouldn't be routed though UT since it sits on the perimeter and it's not a router, it's a transparent bridge. My switches should be able to route the traffic internally.

"Is the UT box the only router in this environment?"
Yes, this is my only UT box, but it's not acting as a router.

"Do you have subnets?"
No, just one subnet.

Thanks for asking those clarifying questions, IHateShuttle! I really wasn't sure how to describe what I'm looking at.

crazylegs · 07-14-2011, 02:08 PM

I'd be willing to post a redacted screen grab of the rule if it would be helpful.

sky-knight · 07-14-2011, 04:19 PM

A network map and a screenshot of the rule that is matching would help. I've got an idea as to why this is happening, but without the extra detail I'm just grasping at straws.

Your assumption however assuming the following diagram:

Internet -> Router -> Untangle -> Switch -> Servers & Desktops

If you're seeing Untangle log traffic between your server and a workstation and you're wired in like this... something is not working the way you think it is. Because you're right, server and desktop communication is only seen by that switch, it never makes it to the Untangle server.

Now if that router has two internal IP addresses, and it's routing between them Untangle would see the traffic. However, Untangle would also be blocking that traffic, as the second IP range passing through Untangle's bridge would be destroyed.

crazylegs · 07-14-2011, 04:30 PM

Thanks Sky-knight.

here's the map as I understand it:

my ISP -> gateway which I have no control over but point my internal NIC's at -> UT -> my network consisting of a non-dhcp (static) class C single subnet (multiple switches) -> all my internal devices

sky-knight · 07-14-2011, 05:30 PM

Why blank out an Internal IP?

And given what I can see of that rule, it shouldn't be matching traffic on your LAN. If it is, you've got an extra switch path somewhere that's forcing layer 2 into a place it shouldn't be.

Are your switches smart enough to have Spanning Tree Protocol?

crazylegs · 07-14-2011, 05:32 PM

My internal IP's are publicly addressable, so I'd rather not share them

Yes, my switches are of the cisco managed variety.

"an extra switch path somewhere that's forcing layer 2 into a place it shouldn't be."

Any tips on how I might locate and destroy that?

(thanks again, btw)

IHateShuttle · 07-15-2011, 03:58 PM

You should have one trunk going to each switch and don't connect them in a circle or mesh unless you want to configure failover paths and redundant trunks which requires STP like sky-knight said. It's all possible with Cisco devices but you would have to know how to do it.

Switches can't do routing unless they are "level 3 switches" which is actually a switch with a router in it(or a router with a switch in it depending on how you look at it). If routing is provided by the device you call your "gateway" then traffic would have to pass through the UT to get to the router and then come back in to the network once it realizes that it was local traffic after all. Being that you only have one subnet the only reason this would happen is if the subnet mask was set incorrectly on the device that is sending the packets out to the router.

That internal traffic should stay in your switches and never be seen by the UT.

IHateShuttle · 07-15-2011, 04:05 PM

I just thought it would be helpful to look at what kind of traffic it is:

http://www.grc.com/port_389.htm
and
http://www.grc.com/port_1027.htm

are you running MS NetMeeting?

07-14-2011, 12:54 PM	#1 (permalink)
crazylegs Master Untangler Join Date: Mar 2009 Posts: 194	internal ip's showing up in firewall logs I've got a single UT box operating as a transparent bridge between my network and the outside world. I have several racks, but I'm seeing connections happen within my network in the firewall logs. For example, my domain controller is in a rack that has little access to or from outside my network with a few other devices with similar access needs. There's a couple of rules to allow outgoing on port 80 from a couple of devices, but otherwise, the default block all rule is in effect. What I've seen a few times and brushed off as a glitch is allowed connections from my domain controller in the internal-only rack to a device in my default rack. The rule associated with this entry in the log says rule 4 - which is the rule that allows and logs traffic from the DC's IP internal on any port to any external IP. But what's logged is xxx.xxx.xxx.xxx:389 to xxx.xxx.xxx.xxx:1027. This doesn't really make sense. Can anyone help me understand what's going on and why this might be getting logged? Is this normal? Last edited by crazylegs; 07-14-2011 at 12:57 PM..

07-14-2011, 04:19 PM	#5 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,460	A network map and a screenshot of the rule that is matching would help. I've got an idea as to why this is happening, but without the extra detail I'm just grasping at straws. Your assumption however assuming the following diagram: Internet -> Router -> Untangle -> Switch -> Servers & Desktops If you're seeing Untangle log traffic between your server and a workstation and you're wired in like this... something is not working the way you think it is. Because you're right, server and desktop communication is only seen by that switch, it never makes it to the Untangle server. Now if that router has two internal IP addresses, and it's routing between them Untangle would see the traffic. However, Untangle would also be blocking that traffic, as the second IP range passing through Untangle's bridge would be destroyed. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

07-14-2011, 05:30 PM	#7 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,460	Why blank out an Internal IP? And given what I can see of that rule, it shouldn't be matching traffic on your LAN. If it is, you've got an extra switch path somewhere that's forcing layer 2 into a place it shouldn't be. Are your switches smart enough to have Spanning Tree Protocol? __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

Protect

Filter

Perform

Connect

Manage

Add-Ons

07-14-2011, 02:02 PM	#2 (permalink)
IHateShuttle Untangler Join Date: Jul 2009 Location: Left Coast Posts: 70	"rule 4 - which is the rule that allows and logs traffic from the DC's IP internal on any port to any external IP." You have an allow any any on an interface for your DC? This seems like the expected behaviour. What is supposed to stop this communication? Is the UT box the only router in this evironment? Do you have subnets? It sounds like the traffic is going through the UT box because it is acting like a router on a stick for your internal network. Hard to tell without more infromation.

07-14-2011, 02:07 PM	#3 (permalink)
crazylegs Master Untangler Join Date: Mar 2009 Posts: 194	"You have an allow any any on an interface for your DC?" no... it's allow outgoing from any internal port coming from the IP of my DC to an external IP @ port 80. "What is supposed to stop this communication?" Nothing - but the traffic shouldn't be routed though UT since it sits on the perimeter and it's not a router, it's a transparent bridge. My switches should be able to route the traffic internally. "Is the UT box the only router in this environment?" Yes, this is my only UT box, but it's not acting as a router. "Do you have subnets?" No, just one subnet. Thanks for asking those clarifying questions, IHateShuttle! I really wasn't sure how to describe what I'm looking at.

07-14-2011, 02:08 PM	#4 (permalink)
crazylegs Master Untangler Join Date: Mar 2009 Posts: 194	I'd be willing to post a redacted screen grab of the rule if it would be helpful.

07-14-2011, 05:32 PM	#8 (permalink)
crazylegs Master Untangler Join Date: Mar 2009 Posts: 194	My internal IP's are publicly addressable, so I'd rather not share them Yes, my switches are of the cisco managed variety. "an extra switch path somewhere that's forcing layer 2 into a place it shouldn't be." Any tips on how I might locate and destroy that? (thanks again, btw)

07-15-2011, 03:58 PM	#9 (permalink)
IHateShuttle Untangler Join Date: Jul 2009 Location: Left Coast Posts: 70	You should have one trunk going to each switch and don't connect them in a circle or mesh unless you want to configure failover paths and redundant trunks which requires STP like sky-knight said. It's all possible with Cisco devices but you would have to know how to do it. Switches can't do routing unless they are "level 3 switches" which is actually a switch with a router in it(or a router with a switch in it depending on how you look at it). If routing is provided by the device you call your "gateway" then traffic would have to pass through the UT to get to the router and then come back in to the network once it realizes that it was local traffic after all. Being that you only have one subnet the only reason this would happen is if the subnet mask was set incorrectly on the device that is sending the packets out to the router. That internal traffic should stay in your switches and never be seen by the UT.

07-15-2011, 04:05 PM	#10 (permalink)
IHateShuttle Untangler Join Date: Jul 2009 Location: Left Coast Posts: 70	I just thought it would be helpful to look at what kind of traffic it is: http://www.grc.com/port_389.htm and http://www.grc.com/port_1027.htm are you running MS NetMeeting?