Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: IP Spoofing?

  1. #1
    Master Untangler
    Join Date
    Dec 2010
    Location
    Boerne, TX
    Posts
    260

    Default IP Spoofing?

    I set up a firewall rule to block non-US IP addresses. Amazing how many foreign connection attempts there are. I also have a port forward rule to forward RDP to one of my LAN machines. In looking at my logs this morning, I see connection attempts blocked by the non-US rule, but the client and server IP addresses are both the same, being my LAN machine where port forwards are being sent. Is it normal for the source IP to not be showing, or is there IP spoofing going on?
    ...Rick

  2. #2
    Master Untangler
    Join Date
    Dec 2014
    Posts
    117

    Default

    Using a block rule for all non-US traffic can be dangerous as your local to local traffic won't have a country attached to it. Can you post your firewall rule or rules you have created there for the blocking of Non-US traffic? Thank you.

  3. #3
    Master Untangler
    Join Date
    Dec 2010
    Location
    Boerne, TX
    Posts
    260

    Default

    One rule. I changed the rule to "client country" after taking this screenshot.
    Attached Images Attached Images
    Last edited by RBoynton; 02-16-2017 at 12:42 PM.
    ...Rick

  4. #4
    Master Untangler
    Join Date
    Dec 2014
    Posts
    117

    Default

    Yeah client country is what you want for sure on this rule on that first condition. Do you have any ipsec or openvpn tunnels that attach to this Untangle? If not you should now be good to go there now that you switched that first condition.

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,431

    Default

    what version are you running - make sure you are actually looking at Client IP address, and not just an IP address in the hostname column.

  6. #6
    Master Untangler
    Join Date
    Dec 2010
    Location
    Boerne, TX
    Posts
    260

    Default

    The report showed the same IP for both columns, which looked suspicious to me. Running 12.2.2. Not using IPSEC or OpenVPN.

    Edit: looked again and my bad: was looking at the hostname IP not the client IP. Maybe I will wake up some day...
    Last edited by RBoynton; 02-16-2017 at 02:38 PM.
    ...Rick

  7. #7
    Master Untangler
    Join Date
    Dec 2014
    Posts
    117

    Default

    12.2.2 does not exist for our software. Do a check for upgrades and make sure you see none currently. If there are any install them then check that same report again and let me know if you see the same thing going forward and if you do please post a screenshot. Thank you!

  8. #8
    Master Untangler
    Join Date
    Dec 2010
    Location
    Boerne, TX
    Posts
    260

    Default

    Should be 12.2.1
    ...Rick

  9. #9
    Master Untangler
    Join Date
    Dec 2014
    Posts
    117

    Default

    Got ya. Do your logs look cleaner today on that firewall rule or what are you seeing now?

  10. #10
    Master Untangler
    Join Date
    Dec 2010
    Location
    Boerne, TX
    Posts
    260

    Default

    Still seeing quite a few blocks from foreign IP's trying to connect on 3389. Looks like the firewall is doing its job! Thanks! On a side note, I really like the ability to copy a report and modify it, then add it to my dashboard. In my case, I added the firewall-blocked events with the column "client country". Now I can see who has been knocking on my door!
    degraw32 likes this.
    ...Rick

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2