Results 1 to 5 of 5
  1. #1
    Untangler malvivent7's Avatar
    Join Date
    Jan 2012
    Location
    Ferrara, Italy
    Posts
    72

    Default Local subnet identified as external

    Hi Untangle support, i have succesfuly upgaded my UT to the last version 14.1 this night, so far so good; i have thicked in the ids rules high and critical block rules but i have suddenly viewed on logs that one subnet (it's an alias of my internal network) is identified as EXTERNAL and not INTERNAL (let you imagine how much problem from my employed) i attach some screenshots for better understanding:
    fig. 1 (internal net)Internal_UT141.PNG
    fig. 2 udp scan fron external net attempted_recon_UT41.PNG
    fig. 3 dns update from external netdns_upd_UT41.PNG

    192.168.119 net and 192.168.10 net are both internal and the last is an ipv4 alias of the first.
    this is screenshot of the ids setting
    ids_nothick.PNG but my goal is to activate critical and high
    Thanks in advance on helping me

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,668

    Default

    Source is not necessary external. Source is just the IP which starts the request.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler malvivent7's Avatar
    Join Date
    Jan 2012
    Location
    Ferrara, Italy
    Posts
    72

    Default

    Thanks Jcoffin for your reply, but the rules is fired only from 192.168.10.0/24 subnet, i have other subnets behind a cisco router of my isp MPLS that are not treated in this manner; i suspect that ids module see this net external because the rules (for example snmp) blocked are udp communication from printers residing on 192.168.10

  4. #4
    Master Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    138

    Default

    I think the solution for you here is to change the value of the EXTERNAL_NET variable from its default value (which is "any") to "!$HOME_NET".

    If that doesn't do it, create rules that disable those specific signatures and make sure they're at the top of the Rules list.
    malvivent7 likes this.

  5. #5
    Untangler malvivent7's Avatar
    Join Date
    Jan 2012
    Location
    Ferrara, Italy
    Posts
    72

    Default

    Quote Originally Posted by cblaise View Post
    I think the solution for you here is to change the value of the EXTERNAL_NET variable from its default value (which is "any") to "!$HOME_NET".

    If that doesn't do it, create rules that disable those specific signatures and make sure they're at the top of the Rules list.
    Thanks cblaise for your response; problem solved using your suggestion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2